Re: Find differences between timestamps for all tr...

mosierg · ‎07-15-2014

Every line of the log file has a transaction id, a time stamp, and a message. It is intended to show a trace of all transactions. I'd like to modify the query below to show the differences between timestamps at all points and possibly highlight the largest differences per transaction.

The query I currently have is
| sort time ASC | stats list(time) , list(message) by id | sort id

somesoni2 · ‎07-15-2014

Try this

your base search  | sort 0 time | streamstats current=f window=1 last(time) as prevTime by id | eval duration=time-prevTime | eventstats max(duration) as MaxDur by id | eval duration=if(duration=MaxDur,"**".tostring(duration),duration)  | stats list(time) , list(duration) , list(message) by id

somesoni2 · ‎07-17-2014

Start with you base search and try adding pieces one by one and see which part of the search is breaking things/not working as expected. This works fine with similar data I have.

mosierg · ‎07-17-2014

Any ideas why this query isn't working?

mosierg · ‎07-15-2014

Data is being returned but it is just some of the lines of the log files

somesoni2 · ‎07-15-2014

Can you validate if data is being returned before the stats command?

mosierg · ‎07-15-2014

The variable names look right but now it isn't showing anything for duration.

somesoni2 · ‎07-15-2014

Just fixed one type in the eval. Try the updated search. Also, check the variable names (time/id/message).

mosierg · ‎07-15-2014

When I run that query, I'm returned all 0s for duration

Find differences between timestamps for all transactions

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!