Refine your search:

0
2

I have log entries looking as follows:

Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993;

Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824;

Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255;

Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120;

I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E

I have following search:

host = psdkxt05 MID=XXX004E OR MID=XXX005I 
| EVAL PRC=SUBSTR(MID,1,3)
| EVAL ERR=SUBSTR(MID,5,3)
| SORT -_time
| delta _time as diff
| EVAL Outage(Minutes)=ROUND(diff/-60) 
| TABLE PRC ERR Outage(Minutes) _time

This gives following result:

 1. 1   11/16/10 8:37:47.000 AM XXX 05I
 2. 2   11/16/10 8:33:08.000 AM XXX 04E 5
 3. 3   11/16/10 8:07:44.000 AM XXX 05I 25
 4. 4   11/16/10 8:03:03.000 AM XXX    04E  5

How do I avoid the calculation in line 3?

asked 18 Nov '10, 10:33

JYTTEJ's gravatar image

JYTTEJ
216217
accept rate: 25%

edited 18 Nov '10, 12:17

ziegfried's gravatar image

ziegfried ♦
11.4k1720


One Answer:

This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:

host=psdkxt05 MID=XXX004E OR MID=XXX005 | 
transaction beginswith=XXX004E endswith=XXX005I |
EVAL PRC=SUBSTR(MID,1,3) |
EVAL ERR=SUBSTR(MID,5,3) |
EVAL Outage(Minutes)=duration/60 |
TABLE PRC ERR Outage(Minutes) _time

See http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction for more details.

link

answered 18 Nov '10, 12:23

dwaddle's gravatar image

dwaddle ♦
17.9k2934
accept rate: 33%

THANK YOU!I did try the transaction before asking the question. But could not make it work- but it does now with your help :-). Thank you so much. (I am quite new in the SPLUNK world...)

(18 Nov '10, 13:43) JYTTEJ
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×35

Asked: 18 Nov '10, 10:33

Seen: 1,839 times

Last updated: 18 Nov '10, 12:23

Copyright © 2005-2014 Splunk Inc. All rights reserved.