Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get my duration from transaction

chookp
Explorer
‎02-25-2020 07:32 PM

my search query is this:

DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") | rex field=CREATEDATETIME "2019+ (?[^,]+)" | rex field=CREATEDATETIME "(?[^\s]+)" | rex field=TIMEONLY "(?.):(?.):(?.)\s(?.)" | eval TIMEONLY = Hour*3600 + Minute*60 + Second| eval AM=case(AM="AM","0",AM="PM","43200")|eval TIMEONLY=TIMEONLY+AM| sort by !TIMEONLY |transaction DESCRIPTION startswith=VALUE="RUN" endswith=VALUE="STOP"

result i get from search:
alt text

i have created a field for the TIMEONLY , i am stuck with getting the duration of the time between the run and stop time, what can i do such that i am able to subtract my run and stop time to get the active time duration .

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎02-26-2020 02:26 PM 
DESCRIPTION="sump pump" OR (DESCRIPTION="ejector pump" AND DESCRIPTION="run/stop") 
| eval TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p")
| eventstats range(TIMEONLY) as duration by DESCRIPTION
| eval duration=tostring(duration,"duration")
0 Karma
Reply

chookp
Explorer
‎02-26-2020 10:03 PM

hi i am sorry as i am new to splunk i am not sure eval |TIMEONLY =strptime(CREATEDATETIME ,"%m/%d/%Y %T %p") | eventstats range(TIMEONLY) as duration by DESCRIPTION | eval duration=tostring(duration,"duration") able to break down the meaning i had try to use the command but did not get the answer i expected.

0 Karma
Reply

to4kawa
Ultra Champion
‎02-27-2020 12:37 AM

strptime
eventstats
range
tostring

0 Karma
Reply

to4kawa
Ultra Champion
‎02-27-2020 12:45 AM

CREATEDATETIME is format "%m/%d/%Y %T %p"
strptime makes epoch time to duration.
eventstats range aggregates duration between run and stop
tostring change duration to readable.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-26-2020 05:47 AM

HI @chookp,
the duration field that's displayed if there the transaction command isn't useful for you?

Ciao.
Giuseppe

0 Karma
Reply

chookp
Explorer
‎02-26-2020 04:27 PM

the transaction command is useful to me, but the info i need to lacking, when i use the transaction there is multi value of TIMEONLY , i just need to subtract both my TIMEONLY to get my active duration. this is the part which i am stuck

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...