Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is their any other way to calculate the starttime and endtime for my data?

prashanthberam
Explorer
‎12-17-2016 03:23 PM

I have attached the screenshot of my data.
I have transaction starttime as inbound message event time and endtime is outbound message event time. I need to calculate the responseTime of each transaction and rest of the fields that I am extracting from the data. after that I need to calculate the summary index for that after that I want use those information in other fields. Below is the search I have used, but after creating the summary index while retrieving them, I am getting all the results. The timestamp of the events is not coming into summary, and I am getting only one timestamp, and that is the summary index created time. I am thinking this was happened because I have performed some stats _time. Can anyone can suggest me in this issue?
![alt text][1] 

index=*********** source=******* " "getProcedureDetailBlueChip" OR "getProcedureDetailBlueChipResponse" 
AND "Inbound Message" OR "Outbound Message" OR "getProcedureDetailBlueChip response time returning procedure details" OR "memZipCode assigned to zipCode" 
OR "provZipCode assigned to zipCode" OR  "bnftAgrmtNbr" |rex "(?Inbound|Outbound)" |eval transfield=if(searchmatch("Inbound Message") OR searchmatch("Outbound Message"),1,0) | accum transfield | transaction transfield | rex "ID:(?.*)" 
|rex "(?m)\(?.*)"|rex "(?m)\(?.*)"|rex "(?m)\(?.*)"|rex "(?.*)" |rex "(?.*)"|rex "(?.*)" | rex "(?.*)" | rex "(?.*)" |rex "(?.*)" |rex "(?.*)"|rex "(?.*)"| rex "(?.*)"|rex "(?.*)" |rex "provZipCode assigned to zipCode:(?.*)"| rex "memZipCode assigned to zipCode:(?.*)"|stats min(_time) as startTime,max(_time) as endTime,values(info) as Info,values(ResponseTime) as responseTime,values(StatusCode) as StatusCode,values(message) as StatusMessage,values(CorpEntCd) as corpEntCd,values(costlvlpctl) as Costlvlpctl,values(CptCode) as cptCode,values(GroupNbr) as GroupNbr,values(MemZipCode) as memZipCode,values(procdchrgamt) as ProcChrgamt,values(ProvZipCode) as ProvZipCode,values(SectionNbr) as SectionNbr,values(ServiceDate) as ServiceDate,values(tretcatcd) as TretCatCd,values(tretcatname) as TretCatName,values(bnftAgrmtNbr) as bnftAgrmtNbr,values(acctNbr) as acctNbr,values(provassignZip) as provassignZip,values(memzipassignzip) as memzipassignzip by id,source
|eval responseTime=endTime-startTime|eval StartTime=strftime(startTime,"%Y-%m-%d %H:%M:%S,%3N")|eval EndTime=strftime(endTime,"%Y-%m-%d %H:%M:%S,%3N")
|table id,Info,StartTime,EndTime,responseTime,StatusCode,StatusMessage,source,corpEntCd,Costlvlpctl,cptCode,GroupNbr,memZipCode,ProcChrgamt,ProvZipCode,SectionNbr,ServiceDate,TretCatCd,TretCatName,bnftAgrmtNbr,acctNbr,provassignZip,memzipassignzip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-17-2016 03:46 PM

If you want to retain the timestamp for your transaction, you need to include _time field in your search result (that you're saving in summary index). Just add an eval for _time just after your big stats to create _time field. If you want to keep start of the transaction as _time value, use startTime else use endTime. Below is example using startTime.

your current search till stats and before eval responseTime | eval _time=startTime | eval responseTime...rest of the search...

Now the _time on the summary index would show startTime values (_time of the Inbound message).

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-17-2016 03:46 PM

If you want to retain the timestamp for your transaction, you need to include _time field in your search result (that you're saving in summary index). Just add an eval for _time just after your big stats to create _time field. If you want to keep start of the transaction as _time value, use startTime else use endTime. Below is example using startTime.

your current search till stats and before eval responseTime | eval _time=startTime | eval responseTime...rest of the search...

Now the _time on the summary index would show startTime values (_time of the Inbound message).

Reply
Solved! Jump to solution

prashanthberam
Explorer
‎12-17-2016 04:44 PM

super bro...thanks it's working ...

0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎12-17-2016 04:29 PM

YES.i have created new one..after that I have created the scheduled search for every 15 minutes.i have tried manually by using the collect command. still every event has the same today's timestamp that's why if run any search time interval 15 min still am getting the whole data.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-17-2016 04:33 PM

Ahhh, I forgot to mention to include the field _time in your last table command. You wont get your _time sent to summary index if it's not included in final set of fields.

0 Karma
Reply
Solved! Jump to solution

prashanthberam
Explorer
‎12-17-2016 04:12 PM

still am getting every results bro. if I run a search for last 24 hours by using the summary index am getting all the events that are generated few months back too.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-17-2016 04:24 PM

Did you clean your old/wrong summary index data before running the new search?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...