Hi All,
I'm just getting started with Splunk, and am having a problem calculating the time for repeating values from a device that only logs its current state. The source looks like this:
06-08-2015 08:00:01.650; ICU ;ISsC3
06-08-2015 08:00:03.981; ICU ;ISsC3
06-08-2015 08:00:04.275; ICU ;ISsC3
...
06-08-2015 08:05:08.175; ICU ;ISsC18
06-08-2015 08:05:04.575; ICU ;ISsC18
I am interested in getting the delta (or summing the time in C3 state) from the first ISsC3 and the first event that's not ISsC3, skipping over the middle set, and the next set of non-C3 events, and summarizing these as sessions.
My search looks like this:
mysearch ...|transaction startswith=IcuState=C3 endswith=IcuState!=C3 |table _time duration
I don't have a session ID, just a start and stop event for each log file. The output sees to be a pairing of every C3 to every non-C3, I'm fine deduping the middle data, since it's not interesting for this search.
What am I missing?
... View more