Hello Splunkers
I just started to use splunk and you know how it is to learn something new, you punch the keyboard lots of times haha.
Well I have 2 timestamps (besides a lot of other fields):
2016-03-10 04:16:19
2016-03-10 04:16:40
Each of them comes from a different search:
Search1:index="app_log" field4=*333166* status="started"
Search2:index="app_log" field4=*333166* status="completed"
So what I'm trying to do is to know how much time a process took in this case field4 is an identifier so the first search will provide me when it started with the corresponding timestamp and the second one will provide me when it finished so the time they took will be the difference between the timestamps.
What I'm having issues is to built this, how to perform the both searches and play around with them.
Can you please help me out
Regards
↧