Getting Data In

Transaction start and finish times

Ant1D
Motivator

Hey,

I have a question about the transaction search command.

If I am using a transaction on an event that has two timestamps in it, how can I access/use both of the timestamps after the transaction is done for start and finish times?

Here's an example of one event that has two timestamps in it.

1342541754952 environment="prodemea" event_type="JobStarting" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"
1342541758729 environment="prodemea" event_type="JobCompleted" component="Job Controller" job_id="cf430a0b-bfcd-4765-891d-253da3607135"

Here's the search that I am doing:
index=prod (event_type="jobStarting" OR event_type="JobCompleted") | transaction job_id | table _time duration job_id

The result of the search gives me the start time (_time), the duration of the transaction and the job_id. How can I also get the finish time? (which in this case would be 1342541758729)

Thanks in advance for your help.

1 Solution

Ayn
Legend

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration

View solution in original post

Ayn
Legend

_time is an epoch value, so to get the end time you can just add duration to the transaction event's timestamp.

... | eval starttime=_time | eval endtime=_time+duration

Ant1D
Motivator

seems to do the trick. wasn't sure at first that this would work because the duration values didn't seem to be in a format that could be added to the start time. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...