Good Afternoon Splunk,
I have a question about some data that I am trying to evaluate for the transaction command. Below I have a snapshot of the data I am trying to get a the transaction statement to work but I have to be somewhat creative.
The goal is that I am trying to get the last event in this transaction, the max or last value. I believe to signify the transaction I may be able to start with the "Send To State" field as that is always = 0
But the end of the transaction I am having some trouble with, as you can see the data is not all that helpful.
My anticipated query for index time. Seems to at least pick up values in steps.
| eval IndexTime=strftime(_indextime, "%Y-%m-%d %H:%M:%S")
Somehow I would like to correlate the index time and another field so that I may then say
SendToState was the beginning of this and the end was the combination of an indextime and some other field, but I am at a loss what I could do. Any help would be appreciated.
Thanks,
Daniel MacGillivray
![alt text][1]
[1]: /storage/temp/159212-transaction-data.jpg
↧