I have log entries looking as follows:
Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993;
Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824;
Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255;
Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120;
I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E
I have following search:
<code>host = psdkxt05 MID=XXX004E OR MID=XXX005I | EVAL PRC=SUBSTR(MID,1,3) | EVAL ERR=SUBSTR(MID,5,3) | SORT -_time | delta _time as diff | EVAL Outage(Minutes)=ROUND(diff/-60) | TABLE PRC ERR Outage(Minutes) _time </code>
This gives following result:
<code> 1. 1 11/16/10 8:37:47.000 AM XXX 05I 2. 2 11/16/10 8:33:08.000 AM XXX 04E 5 3. 3 11/16/10 8:07:44.000 AM XXX 05I 25 4. 4 11/16/10 8:03:03.000 AM XXX 04E 5 </code>
How do I avoid the calculation in line 3?
This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:
<code>host=psdkxt05 MID=XXX004E OR MID=XXX005 | transaction beginswith=XXX004E endswith=XXX005I | EVAL PRC=SUBSTR(MID,1,3) | EVAL ERR=SUBSTR(MID,5,3) | EVAL Outage(Minutes)=duration/60 | TABLE PRC ERR Outage(Minutes) _time </code>
See http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction for more details.
Trying to identify duplicate logs 1 Answer