How to find out the event with max duration?
I used command transaction to group events and I want to find out the event with max duration.
Details are unknown, but ...
・・・・|transaction ・・・・|stats max(duration)
OR
・・・・|transaction ・・・・|sort -duration|head 1
Selected answer correct for if you have one field name, for multiple similarly I use:
|sort - duration
|dedup field_name
Details are unknown, but ...
・・・・|transaction ・・・・|stats max(duration)
OR
・・・・|transaction ・・・・|sort -duration|head 1
You are right ! I try to search with second search script to get the longest transaction,but is there any way to show column one "max(duration)" and column two _raw at once?
Instead of doing the ... | head 1
, try instead using the limit=<number>
parameter of the sort. Then to make it pretty or include other fields, use the table
command.
... | transaction ...stuff... |table duration, _raw | sort limit=1 - duration
Give that a shot and see if it works for you.
Happy Splunking!
Rich
Hi Rich
Thanks ! I am going to modify my search script base on your suggestion.