Index="ereg-prod" source=" jobs.*log" | transaction startswith="Start : Before Job" endswith="End : After Job" | rex field=source "/*/logs/job-(?\S+).log" I wanted to calculate my time taken or duration based on the timings in front of these. If your Timestamp field is the same as the time field in each event, the work is already done for you. I want to take that 7394, along with 23 other counts throughout (because there are 24 hours in a day. 20:05:07,411 INFO .(BaseJobListener.java:163) - End : After Job *********** Transaction automatically creates a field called duration that is the difference between the earliest and latest events in the transaction. I have successfully create a line graph (it graphs on on the end timestamp as the x axis) that plots a count of all the events every hour.
#SPLUNK TRANSACTION TIMESTAMPS EVENTS SERIES#
19:28:06,435 INFO .(BaseJobListener.java:89) - Start : Before Job ************* duration, 1245, Timespan (in milliseconds) of the series of events included in this series. I am trying to calculate the duration/timetaken between 2 strings in an event using transaction starts with and endswith and it is not giving the expected and the format is different, I wanted a simple format with HH:MM:SS To do it, you have to do a transaction following the next model search transaction common value between events startswith' keyvalue of a parameter of the first event' endswith' keyvalue of a parameter of the second event' Example With this example, we want to check the duration between the log L1 and the log L4.
0 kommentar(er)
