I'm new to splunk and I'm trying to calculate the elapsed time between two events 'STARTED & FINISHED' by event_type by context_event. The problem I have is the timestamp is an extracted field and not the _time given by splunk. I've tried various different ways using the support portal but have failed miserably 😄
sourcetype=eventstore | transaction source_event startswith="STARTED" endswith="FINISHED" | eval elapsed=timestamp_event-timestamp_event
This is the event output I get when I run the above query but I can't seem to get it to sum up the elapsed time
03-01-2014 06:55:30, EventLoggerListener , Event=id='3241388266', message='Report1', timestamp=03-01-2014 06:55:30.535 GMT, type='ENRICHMENT', source='IAS', status='STARTED' 03-01-2014 06:55:30 , EventLoggerListener , Event=id='1670471136', message='Report1', timestamp=03-01-2014 06:55:30.544 GMT, type='ENRICHMENT', source='IAS', status='FINISHED'
context_event = Report1
date_event = 03-01-2014
event_id = 1670471136 event_id = 3241388266
event_type = ENRICHMENT
sourcetype = eventstore
status_event = FINISHED status_event = STARTED
timestamp_event = 06:55:30.535 timestamp_event = 06:55:30.544
Thanks in advance!
... View more