I have log entries looking as follows:
I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E
I have following search:
This gives following result:
How do I avoid the calculation in line 3?
This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:
See http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction for more details.
answered 18 Nov '10, 12:23