- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- create table and calculate time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My log file is similar to below and search is
I0530 14:28:10.394402 29432 tafc_logger_c.cpp:42] demoprogram.b:9 [manoj] [MYCOMP] [DEMO] End Transaction - End Message
...
...
I0530 14:28:06.406689 29432 tafc_logger_c.cpp:42] demoprogram.b:2 [manoj] [MYCOMP] [DEMO] Start Transaction - Some Message
Now I have two question
1. How to convert this log information in to table?
Table format should be like this
Date Time User Component Message
- How to calculate time difference between two events?
from above log I want to calculate time difference
Transaction Time = 0530 14:28:10.394402 - 0530 14:28:06.406689
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below query solve my problem
earliest=06/06/2012:15:30:00 "START TRANSACTION" OR "STOP TRANSACTION" | table _time | streamstats range(_time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below query solve my problem
earliest=06/06/2012:15:30:00 "START TRANSACTION" OR "STOP TRANSACTION" | table _time | streamstats range(_time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no nothing extracted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the fields (User, Component, Message) already extracted?
Does Splunk parse your timestamps correctly?
If yes, this is simple
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 - make sure that the timestamp is correctly extracted in splunk at index time
see how to define a sourcetype http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Configuretimestamprecognition
it will be stored on the field _time.
2 - at search time, extract the other fields, using regex, inline extraction or automatic extractions.
see http://docs.splunk.com/Documentation/Splunk/4.3.2/Knowledge/Addfieldsatsearchtime
example of inline extraction
mysearch | rex "[(?
3 - define a transaction to group your events and calculate duration.
example http://docs.splunk.com/Documentation/Splunk/4.3.2/SearchReference/Transaction
mysearch | rex "[(<?field1>\w+)] [(<?field2>\w+)] [(<?field3>\w+)]" | transaction field1 field2 field3 | table _time duration field1 field2 field3
Beware an unfinished transaction will not have a valid duration.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to follow the instructions provided by yannk. That's pretty much how it's done.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am forwarding data from universal forwarder and everything is default
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
