Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to display time stamp in each line on transaction ?

hemanath_ofc
Explorer
‎10-31-2014 08:20 AM

1

0/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start
10/21/14 13:17:08.747 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:08.840 WLL-EX CCTX_POS_GET_TenderTypeStatus = 0

10/21/14 13:17:08.919 SERIAL SerialComClass:****NOTICE: Serial Port cleared OK
10/21/14 13:17:08.919 SERIAL Send Msg() >
10/21/14 13:17:08.981 SERIAL GetAckNak Recv: [00]

10/21/14 13:17:09.090 WLL-EX CCTX_OS_GET_TypeStatus = 0

10/21/14 13:17:09.090 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]
10/21/14 13:17:09.262 SERIAL SerialComClass:**NOTICE: Serial Port cleared OK
10/21/14 13:17:08.747 SERIAL ZPIMXTerminal.Send Start

in above log.. i formed a transaction using "transaction startswith="ZPIMXTerminal.Send Start" endswith="ZPIMXTerminal.Send Start"

i wanted to display time stamp in below 2 two lines 

10/21/14 13:17:08.809 SERIAL GetAckNak Sent: [00]
10/21/14 13:17:09.153 SERIAL GetAckNak Recv: [00]

if I specify _time its giving me only the start time of the transaction

0 Karma
Reply

aholzer
Motivator
‎10-31-2014 08:42 AM

I'd suggest capturing the times you are interested in before the transaction into a different field. Like so:

<base search> | eval ack_sent_time = if(like(_raw,"%GetAckNak Sent%"),_time,nullif(1,1)) | eval ack_recv_time = if(like(_raw,"%GetAckNak Recv%"),_time,nullif(1,1)) | transaction ...

This will store the _time in a field called ack_sent_time only if the event contains "GetAckNak Sent", and will store the _time in a field called ack_recv_time only if the event contains "GetAckNak Recv". Otherwise these fields will be NULL.

This will allow you to do things like:

... | stats latest(ack_sent_time) earliest(ack_recv_time) by <field>

To get the last sent time, and the first recieved time.

Hope this helps.

Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...