- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Calculate duration between Windows EventCodes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to Splunk, so if this is a stupid question - forgive me! 😉
I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.
The problem is that i don't have any unique field between the events to do the transaction on.
These are the two events:
SERVER SHUTDOWN INITIATED
11/24/10 11:47:12 AM LogName=System SourceName=EventLog EventCode=6006 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14339 Message=The Event log service was stopped.
SERVER RESTARTED AND ONLINE
11/24/10 11:49:38 AM LogName=System SourceName=EventLog EventCode=6005 EventType=4 Type=Information ComputerName=XXXX Category=0 CategoryString=none RecordNumber=14341 Message=The Event log service was started.
I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:
sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006)
| transaction host startswith="EventCode=6006" endswith="EventCode=6005"
| eval restart_duration=tostring(duration,"duration")
| table _time host restart_duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a "transaction" on the host field and by specifying a starts-with and ends-with condition, you should get the desired results:
sourcetype=WinEventLog:System (EventCode=6005 OR EventCode=6006)
| transaction host startswith="EventCode=6006" endswith="EventCode=6005"
| eval restart_duration=tostring(duration,"duration")
| table _time host restart_duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems like 378 days... You can take a look at those found transactions by removing the eval and the table command and looking at long durations by appending | where duration>86400. It probably because of missing events or incorrectly parsed timestamps or something like that. Please accept the answer, if it was helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just one more question - why would the restart duration be displayed like this for some hosts? 378+14:52:21
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx a million! Exactly what i needed!
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
