Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Which timestamp is used when piping a transaction result into timechart command

jbrenner
Path Finder
‎01-21-2022 01:59 PM

I have a transaction command which correlates two log entries. If I pipe this result into a timechart command, which log entry's timestamp does it use to bucketize the results (the first or the second)?

Also, is there a way to specify this?

Thanks! Jonathan

Labels (2)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎01-21-2022 05:10 PM

Hi Jonathan
The time stamp used is the one from the earliest event in the transaction. and I don't believe there is a way to change that. 
Other option, depending on your use case, would be to use stats instead and then you could use min(_time) and max(_time) so you end up with 2 time fields that you can choose from.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply

johnhuang
Motivator
‎01-21-2022 11:06 PM

The transaction will generate a duration field which you can add to _time to get the end time.

 

| transaction ........
| eval _time=_time+duration
| timechart ........

 

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...