- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- time range customization
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an xml file. Over which i m performing searches. the result i m getting is in this form
Text Date
1 Application: AVA failed 2014-01-24 14:21:53.50
Application: AVA started 2014-01-24 14:49:20.54
2 Application: AVA failed 2014-01-24 14:05:38.51
Application: AVA started 2014-01-24 14:20:17.71
3 Application: AVA failed 2014-01-24 14:04:42.00
Application: AVA started 2014-01-24 14:05:34.74
in this Application: AVA failed and Application: AVA started should be counted as 1 event if the difference between their occurrence time is 3 min. How can we evaluate the the time difference and how can we extract the minutes from the Date field?
any sort of help over this welcome.....Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are three events. Each event gives two things the start text and the failed text.
For this result i have used the following query
sourcetype=test| transaction startswith="Application: AVA started" AND endswith="Application: AVA failed" | sort Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try sorting by the DAY not the DATE, what this is doing is restructuring the 'transaction' hence it being in the wrong order for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These are three events. Each event gives two things the start text and the failed text.
For this result i have used the following query
sourcetype=test| transaction startswith="Application: AVA started" AND endswith="Application: AVA failed" | sort Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're getting 6 events in total (in your example) or 3 events only? Also, could you post your search query?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
