Getting Data In

Calculate duration between Windows EventCodes

lohans
Explorer

Hi,

I am new to Splunk, so if this is a stupid question - forgive me! 😉

I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.

The problem is that i don't have any unique field between the events to do the transaction on.

These are the two events:

SERVER SHUTDOWN INITIATED

11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.

SERVER RESTARTED AND ONLINE

11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.

I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.

Any ideas?

Tags (1)
0 Karma
1 Solution

ziegfried
Influencer

You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) 
| transaction host startswith="EventCode=6006" endswith="EventCode=6005" 
| eval restart_duration=tostring(duration,"duration") 
| table _time host restart_duration

View solution in original post

ziegfried
Influencer

You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:

sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006) 
| transaction host startswith="EventCode=6006" endswith="EventCode=6005" 
| eval restart_duration=tostring(duration,"duration") 
| table _time host restart_duration

ziegfried
Influencer

Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration>86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.

0 Karma

lohans
Explorer

Just one more question - why would the restart duration be displayed like this for some hosts? 378+14:52:21

0 Karma

lohans
Explorer

Thx a million! Exactly what i needed!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...