Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Start/End time Displaying Same time

_gkollias
Builder
‎02-27-2014 05:33 AM

I have a search where I'd like to show the duration of the order.

My search below almost gives me that, but the start_time and end_time are showing as the same, giving duration a value of 0.000

Here is my search:

index=cg sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="*Task" svc_context_name="$svc_context_name$" | stats min(_time) as start_time, max(_time) as end_time, earliest(status) as start_status, latest(status) as exit_status, first(other) as exit_message, last(total) as total by svc_context_name, _time |eval duration = (end_time-start_time) |convert ctime(start_time) |convert ctime(end_time) |search exit_status="SUCCESS" |table svc_context_name, start_time, end_time, start_status, exit_status, exit_message, duration

I've also tried doing ...|stats earliest(time) as start_time, latest(time) as end_time, etc...| But I get the same results.

Is there a way to modify this search to get more accurate start/end time values?

Thanks!

Tags (1)
0 Karma
Reply

wpreston
Motivator
‎02-27-2014 06:12 AM

See my updated answer on your other question here. Does this help?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...