×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
whipstash
Engager
Member since: ‎04-08-2024
‎10-18-2024
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-08-2024
Activity Feed
View All

Re: Multi sourcetype search for extracted value

by in Splunk Search
‎10-18-2024 10:45 AM
‎10-18-2024 10:45 AM
Thanks for your help Giusepe. This is helpful for getting the duration. However, I would also like to table the results from filtering the events in sourcetypeA and having the duration. This solution does not seem to merge the two resulting searches. ex. table _time computerName sessionID filteredInfoIWant1 filteredInfoIwant2 duration ... View more

Multi sourcetype search for extracted value

by in Splunk Search
‎10-17-2024 05:00 PM
‎10-17-2024 05:00 PM
I am having some issues getting this to work correctly. It does not return all the results. I have different records in different sourcetypes under the same index. sourcetypeA eventID = computerName.sessionID infoIWant1 = someinfo1 infoIWant2 = someinfo2   SourcetypeB's events are broken into events that I need to correlate. sourcetypeB event1------------------------------------------------------- sessionID= sessionNo1 direction=receive -----------------------------------------------------------------   event2-------------------------------------------------------- sessionID=sessionNo1 direction=send -----------------------------------------------------------------   I attempted the below search using the transaction command to correlate the records in sourcetypeB. index=INDEX sourcetype=sourcetypeA | rex field=eventID "\w{0,30}+.(?<sessionID>\d+)" | do some filter on infoIWant fields here | join type=inner sessionID [ search index=INDEX sourcetype=sourcetypeB | transaction sessionID | where eventcount==2 | fields sessionID duration ] | chart count by duration ... View more

Re: Calculating duration from a number

by in Splunk Search
‎04-08-2024 03:28 PM
‎04-08-2024 03:28 PM
Thanks ITWhisperer! I did try the string conversion, but it did not work. This looks like it did the trick! ... View more

Calculating duration from a number

by in Splunk Search
‎04-08-2024 02:39 PM
‎04-08-2024 02:39 PM
I am trying to find the duration for a time span. The "in" and "out" numbers are included in the data as type: number. I attempted: in = 20240401183030 out = 20240401193030 | convert mktime(in) AS IN | convert mktime(out) AS OUT | eval Duration =OUT - IN I have not been able to find a function that would directly convert number to time or if there is some multifunctional way to get the right duration between the two, But this does not perform the correct time math.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-18-2024 03:13 PM
Karma given to
View All