Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display time stamp in each line on transaction ?

hemanath_ofc
Explorer
‎10-31-2014 08:20 AM

1

0/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start
10/21/14 13:17:08.747 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:08.840 WLL-EX CCTX_POS_GET_TenderTypeStatus = 0

10/21/14 13:17:08.919 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.919 SERIAL Send Msg() >
10/21/14 13:17:08.981 SERIAL GetAckNak Recv: [00]

10/21/14 13:17:09.090 WLL-EX CCTX_OS_GET_TypeStatus = 0

10/21/14 13:17:09.090 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]
10/21/14 13:17:09.262 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start

in above log.. i formed a transaction using "transaction startswith="ZPIMXTerminal.Send Start" endswith="ZPIMXTerminal.Send Start"

i wanted to display time stamp in below 2 two lines 

10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]

if I specify _time its giving me only the start time of the transaction

0 Karma
Reply

aholzer
Motivator
‎10-31-2014 08:42 AM

I'd suggest capturing the times you are interested in before the transaction into a different field. Like so:

<base search> | eval ack_sent_time = if(like(_raw,"%GetAckNak Sent%"),_time,nullif(1,1)) | eval ack_recv_time = if(like(_raw,"%GetAckNak Recv%"),_time,nullif(1,1)) | transaction ...

This will store the _time in a field called ack_sent_time only if the event contains "GetAckNak Sent", and will store the _time in a field called ack_recv_time only if the event contains "GetAckNak Recv". Otherwise these fields will be NULL.

This will allow you to do things like:

... | stats latest(ack_sent_time) earliest(ack_recv_time) by <field>

To get the last sent time, and the first recieved time.

Hope this helps.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...