Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duration data not returning properly in a transaction?

mtanadsk
Explorer
‎02-15-2011 11:53 PM

Hi,

For some reason, in a query that contains a transaction of some Juniper SSL VPN logs, my duration doesn't seem to be calculating properly. Instead, I'm getting all zero's for my results.

here's the relevant parts of my query:

... | transaction remoteip startswith="started" endswith="ended" | table vpnuser remoteip duration

and here's a snippet of a result:

Feb 15 22:23:51 10.31.248.17 Juniper: 2011-02-15 22:23:51 - nethost - [x.x.x.x] user(FOO-NC)[BarNC] - user/FOO-NC logged out from IP (y.y.y.y) because user started new session from IP (z.z.z.z).
Feb 15 22:24:25 10.31.248.17 Juniper: 2011-02-15 22:24:25 - nethost - [x.x.x.x] user(FOO-NC)[BarNC] - Network Connect: Session ended for user with IP a.a.a.a

I'm getting a properly constructed table, of course, but with the duration column filled with zero's. Even a spot check on the 'duration' field value reveals all zero's.

I basically want the difference in time between the first and last event, and I'm just not getting it.

Thanks in advance for any assistance!

-mt

Tags (1)
Reply

jrodman
Splunk Employee
Splunk Employee
‎02-16-2011 06:33 PM

Does your event-stream have the _time field available prior to invocation of the transaction command? It might be most convenient to check with 

... | eval test_time=_time

where ... is your full search string up to the point of transaction. At this point you can use the field inspection tools on test_time.

One possibility is that all these events got timestamped with the current time, (DATE_CONFIG=current) and were loaded in as historical data.. or something along those lines. It seems a bit unlikely given the recent nature of these events, but not sure what's going on so far.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...