×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mpjjonker
Explorer
Member since: ‎11-27-2020
‎12-02-2020
Community Statistics
Posts 6
Solutions 0
Karma Given 4
Karma Received 0
Member Since ‎11-27-2020
Activity Feed
View All

Newbee question: Looking for start events without ...

by in Splunk Search
‎12-01-2020 06:13 AM
‎12-01-2020 06:13 AM
Our system logs an event when it receives a message (with a unique key) Some time later our system also logs an event when we are ready (same unique key) There are also messages in between. I want to be able to find which messages have already arrived, but for which we do not (yet) have a "ready" event . I now have this query index = <our index> ApplicationName = <our application> | sort DOCID | stats first (_time) as start last (_time) as end by DOCID And that gives a table with 3 columns, in which sometimes there is an equal value of start and end. But I now want a list of DOCIDs that do have a start event but no end event. ... View more
Labels

Re: newbe question about time spent

by in Reporting
‎11-27-2020 07:13 AM
‎11-27-2020 07:13 AM
@ITWhisperer  I think I run into the issue you hinted at when you asked me how do I know the end. I am getting negative durations (meaning end is before start)... How should I use this host field to tell Splunk that the time for this event is to be considered last (or first depending on the host) ? ... View more

Re: newbe question about time spent

by in Reporting
‎11-27-2020 06:38 AM
‎11-27-2020 06:38 AM
maybe this one: https://community.splunk.com/t5/Splunk-Search/Subtracting-two-timestamps/m-p/230899   ... View more

Re: newbe question about time spent

by in Reporting
‎11-27-2020 06:37 AM
‎11-27-2020 06:37 AM
Ok thanks @ITWhisperer I now have a report with 3 columns : orderid start end Which command can I best use to subtract start from end ? The minus sign does not work. Subtract also not.. A link to the documentation is also welcome . ... View more

Re: newbe question about time spent

by in Reporting
‎11-27-2020 06:08 AM
‎11-27-2020 06:08 AM
Thanks I will try this out. The last step of the process is in another system, so I can use the host field (I hope) to now the last _time ... View more

newbe question about time spent

by in Reporting
‎11-27-2020 05:42 AM
‎11-27-2020 05:42 AM
Good day,   I am new to Splunk and just have completed the fundamentals I course.   For my first use case I am looking for an example where I can create reports/dashboard on average time spent in our systems. I have a key (orderid) and multiple systems log events where they provide this orderid as field. In some systems the process continues after a human has acted. This might take hours or days.   I need to display stats like: average time to process an order end to end. But also the number of orders that have started but have not yet ended.   Thanks   Can you point me to a sample/documentation that will help me to achieve this ? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-02-2020 11:55 AM
Karma given to
View All