Solved: How to find out the event with max duration?

chhawu · ‎10-27-2016

How to find out the event with max duration?
I used command transaction to group events and I want to find out the event with max duration.

HiroshiSatoh · ‎10-27-2016

View solution in original post

akocak · ‎03-08-2018

Selected answer correct for if you have one field name, for multiple similarly I use:

|sort - duration
|dedup field_name

HiroshiSatoh · ‎10-27-2016

chhawu · ‎10-28-2016

You are right ! I try to search with second search script to get the longest transaction,but is there any way to show column one "max(duration)" and column two _raw at once?

Richfez · ‎10-28-2016

Instead of doing the ... | head 1, try instead using the limit=<number> parameter of the sort. Then to make it pretty or include other fields, use the table command.

... | transaction ...stuff...  |table duration, _raw  | sort limit=1 - duration

Give that a shot and see if it works for you.

Happy Splunking!
Rich

chhawu · ‎10-31-2016

Hi Rich

Thanks ! I am going to modify my search script base on your suggestion.

How to find out the event with max duration?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio