When using transaction, SPLUNK always use _time of the 1st event
I need to extract the time of the second event in a transaction
I tried to use Time=_time+duration, however the result sometimes is not accurate
I have used the following transaction command:
index=clientlogs FailedApp=* OR "WorkflowServer.CloseApplication * pid:" 4104 | rex field=Message.Text "pid: (?\d+)"| transaction AppPID host startswith="WorkflowServer.CloseApplication * pid:" endswith="Application * failed" maxspan=60s mvlist=t| eval Time=_time+duration | eval date = strftime(Time, "%Y-%m-%d %H:%M:%S.%2N")
1st event time: 2017-01-07 11:01:13.10
2nd event time: 2017-01-07 11:01:16.39
duration: 2.39 sec
The sum result is: 2017-01-07 11:01:16.40
Is there a better way to extract the second event timestamp?
If not, is there a way to fix this issue?
see results in the attached file
... View more