Splunk Search

Start/End time Displaying Same time

_gkollias
SplunkTrust
SplunkTrust

I have a search where I'd like to show the duration of the order.

My search below almost gives me that, but the start_time and end_time are showing as the same, giving duration a value of 0.000

Here is my search:

index=cg sourcetype=esb_audit esb_top_level=1 NOT bp_bp_name="*Task" svc_context_name="$svc_context_name$" | stats min(_time) as start_time, max(_time) as end_time, earliest(status) as start_status, latest(status) as exit_status, first(other) as exit_message, last(total) as total by svc_context_name, _time |eval duration = (end_time-start_time) |convert ctime(start_time) |convert ctime(end_time) |search exit_status="SUCCESS" |table svc_context_name, start_time, end_time, start_status, exit_status, exit_message, duration

I've also tried doing ...|stats earliest(time) as start_time, latest(time) as end_time, etc...| But I get the same results.

Is there a way to modify this search to get more accurate start/end time values?

Thanks!

Tags (1)
0 Karma

wpreston
Motivator

See my updated answer on your other question here. Does this help?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...