Solved: How to find out the event with max duration?

chhawu · ‎10-27-2016

How to find out the event with max duration?
I used command transaction to group events and I want to find out the event with max duration.

HiroshiSatoh · ‎10-27-2016

View solution in original post

akocak · ‎03-08-2018

Selected answer correct for if you have one field name, for multiple similarly I use:

|sort - duration
|dedup field_name

HiroshiSatoh · ‎10-27-2016

chhawu · ‎10-28-2016

You are right ! I try to search with second search script to get the longest transaction,but is there any way to show column one "max(duration)" and column two _raw at once?

Richfez · ‎10-28-2016

Instead of doing the ... | head 1, try instead using the limit=<number> parameter of the sort. Then to make it pretty or include other fields, use the table command.

... | transaction ...stuff...  |table duration, _raw  | sort limit=1 - duration

Give that a shot and see if it works for you.

Happy Splunking!
Rich

chhawu · ‎10-31-2016

Hi Rich

Thanks ! I am going to modify my search script base on your suggestion.

How to find out the event with max duration?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!