×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Fury
Loves-to-Learn Lots
Member since: ‎11-05-2020
‎11-09-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-05-2020
View All

Re: Time duration between two events from timestam...

by in Splunk Search
‎11-09-2020 12:48 AM
‎11-09-2020 12:48 AM
@isoutamo    The sample events look like these. 2020-11-04 20:50:42; SOURCE="source1"; sourcetype="abc"; PLATFORM="platform1"; SERVICE="xxxx"; EVENT_MESSAGE="Processing event  with correlationId: C001 at: 20:50:42.374 2020-11-04 20:50:43; SOURCE="source1"; sourcetype="abc"; PLATFORM="platform1"; SERVICE="xxxx"; EVENT_MESSAGE="Processing completed for event  with correlationId: C001, at: 20:50:43.382" And my original query is as below. index=xyz sourcetype=abc SERVICE="xxxx" "Processing event with correlationId: * at: *" OR "Processing completed for event  with correlationId: *, at: *" | table co_id, host, EVENT_MESSAGE, time1, time2 | sort co_id host | transaction co_id   Where co_id, time1, time2 are extracted fields. ... View more

Re: Time duration between two events from timestam...

by in Splunk Search
‎11-06-2020 12:22 AM
‎11-06-2020 12:22 AM
@bowesmana  @isoutamo  Apologies, I have missed to mention that there is a correlation id that ties the events like you said. Events look something like this, event a -  Processing started at : <timestamp> for correlationid001 event b - Processing started at : <timestamp> for correlationid002 event c - Processing completed at: <timestamp> for correlationid001 event d - Processing completed at: <timestamp> for correlationid002 So, correlationid001 ties a -->c correlationid002 ties b-->d I have extracted the correlation id as a field. ... View more

Re: Time duration between two events from timestam...

by in Splunk Search
‎11-05-2020 08:40 PM
‎11-05-2020 08:40 PM
@bowesmana  Thanks for the help. I will try the options you've provided. And answer to your question "how have you established the two events (A and B) as being the ones used to establish the duration?" It was provided to me by the developer of the service/component that these events should be the ones used to establish the duration. ... View more

Re: Time duration between two events from timestam...

by in Splunk Search
‎11-05-2020 07:10 PM
‎11-05-2020 07:10 PM
Thanks for the reply @inventsekar. In my current search, the time stamp i.e,  _time is being captured only in sec. Suppose Event A is logged at 10:00:21.000 & Event B is logged at  10:00:21:450 in real time. The time stamps in splunk would still show it as  Event A @ 10:00:21.000 Event B @  10:00:21.000 So when i use transaction it would give me o as duration. This was the reason the developer has added timestamps in the events, which when logged in splunk would show the timestamps with ms info.  Is there any way I could use of the extracted fields of timestamps? ... View more

Time duration between two events from timestamp me...

by in Splunk Search
‎11-05-2020 04:46 AM
‎11-05-2020 04:46 AM
Hi there,   I have a requirement where i need time duration between two events in ms. Events look like this  Event A: Processing started at : <01:00:00.100> Event B: Processing completed at: <01:00:00:850> The numbers at the end of each event are timestamps and i have extracted them as fields 'time1' and 'time2' respectively. Is there a way to get time duration between these two events form the extracted fields? Using transaction gives the time duration in seconds, whereas i would require it in ms. Please help. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-09-2020 04:29 AM