Splunk Search

I am trying to write a query that displays how long an application has been running? So far I have the following string.

smazzatenta
New Member

host="server" EventCode=4688 OR EventCode=469 | transaction New_Process_Name startswith=(EventCode=4688) endswith=(EventCode=4689) | where duration > 1 | search New_Process_Name="extend.exe" New_Process_Name="excel.exe"

Tags (1)
0 Karma

samjenk_2
Explorer

Were you ever able to improve the speed of this search by replacing transaction with a more efficient function, like stats or streamstats? If so, could you share? Thanks!

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, can you be more specific? Is the search above working for you at all?
By looking at your query it seems you pretty much got what you were trying to achieve, apart from some typos and the OR missing in your filter:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"

Let me know if that works for you.

0 Karma

smazzatenta
New Member

I double checked the field and it is named New_Process_Name. When I take "_time" out of the search, New_Process_Name shows up in the display. This actually is what I want but I still need to display what time the application was launched. Can that be displayed as well?

Thanks,
Steve

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Can you copy and paste your query so that I can take a quick look?

Thanks,
J

0 Karma

smazzatenta
New Member

Hello,

The first search using "table" does not show the New_Process_Name in the display. It shows the time (2016-01-13T05:06:52.000-5:00) and usage in minutes (528). I am not sure I understand the time.

When I use "timechart" I receive the following error:
Error in 'timechart' command: The specifier 'Usage_In_Minutes' is invalid. It must be in form (). For example: max(size)

Thanks,
Steve

0 Karma

javiergn
SplunkTrust
SplunkTrust

Is New_Process_Name an actual field in your data? Simply run a quick search against your data (no filtering) to find that out. Keep in mind field names are CASE SENSITIVE

The timechart error is my fault as I forgot to include the max (or any other aggregation function). I've fixed this in the search below.

 yoursearch
 | eval Usage_In_Minutes = round(duration/60)
 | table _time, New_Process_Name, Usage_In_Minutes

 yoursearch
 | eval Usage_In_Minutes = round(duration/60)
 | timechart max(Usage_In_Minutes) as Usage_In_Minutes by New_Process_Name
0 Karma

smazzatenta
New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma

smazzatenta
New Member

Thank you. Would you be able to assist in helping me display the numerical values (seconds, minutes, hours)? I tried working on that yesterday and was unsuccessful.

Thanks again for all your help.

0 Karma

smazzatenta
New Member

Hi again, I have been working on this query for a couple days. To clarify, I am trying to write a query that tracks application launch time and duration. Rather than give you a sample of the query, like I did in my previous post, below is the exact query I am using and it does not give me the correct results. Any assistance would be helpful. Thanks.

host="WKSDC-0004" EventCode=4688 OR EventCode=4689 | transaction New_Process_ID Process_ID Process_Name New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689" | search New_Process_Name="C:\Program Files (x86)\ExtendSim9\ExtendSim.exe" OR New_Process_Name="C:\GAMS\win64\24.0\gamside.exe" OR New_Process_Name="Netica.exe" OR New_Process_Name="C:\Programs Files (x86)\Vitech\CORE 8\core80.exe" | chart values(eval(duration/60)) as Usage_In_Minutes by New_Process_Name

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

In that case I wouldn't use a chart but a table to summarise your requirement. Alternatively a timechart might do the trick too.
Two options then:

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| table _time, New_Process_Name, Usage_In_Minutes

yoursearch
| eval Usage_In_Minutes = round(duration/60)
| timechart Usage_In_Minutes by New_Process_Name

Let me know if that works for you.

0 Karma

smazzatenta
New Member

Once again. Thanks for the quick response. I will not be a work for a couple of days but will give it a try when I return on Tuesday. Thanks again for all the help.

0 Karma

smazzatenta
New Member

Thank you for the response. To be more specific, I can't seem to display the result correctly on the dashboard. I am trying to show each application on the x-axis and the duration in hours, minutes, seconds on the y-axis. Also, I would like display the time when application was launched. Would you mind pointing out which OR I am missing in my filter.

Thank you.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, it's the second OR, the one in the last line.
If you don't do that you'll be searching for processes with both names.

With regards to your request:

host="server" EventCode=4688 OR EventCode=4699 
| transaction New_Process_Name startswith="EventCode=4688" endswith="EventCode=4689"
| where duration > 1
| search New_Process_Name="extend.exe" OR New_Process_Name="excel.exe"
| chart values(eval(duration/60)) as duration_minutes by New_Process_Name

Keep in mind duration is in seconds so in order to display that in a chart you need numerical values (seconds, minutes, hours).

Let me know if that helps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...