Hi,
I am new to Splunk, so if this is a stupid question - forgive me! 😉
I want to calculate the duration between two Windows EventCodes to determine how long server restarts take across the organisation.
The problem is that i don't have any unique field between the events to do the transaction on.
These are the two events:
SERVER SHUTDOWN INITIATED
11/24/10 11:47:12 AM
LogName=System
SourceName=EventLog
EventCode=6006
EventType=4
Type=Information
ComputerName=XXXX
Category=0
CategoryString=none
RecordNumber=14339
Message=The Event log service was stopped.
SERVER RESTARTED AND ONLINE
11/24/10 11:49:38 AM
LogName=System
SourceName=EventLog
EventCode=6005
EventType=4
Type=Information
ComputerName=XXXX
Category=0
CategoryString=none
RecordNumber=14341
Message=The Event log service was started.
I tried to do the transaction on the EventCode fields, this works to an extend but not 100% as it creates transaction across multiple servers. A workaround to this is to use the maxspan field. But sometimes the servers takes a long time to come online again making the use of maxspan difficult. I also tried using the RecordNumber field as the RecordNumber between normal shutdown and startups would be RecordNumber for shutdowns and RecordNumber+2 for startups.
Any ideas?
... View more