Please bear with me as I’m sure this is very simple. I’ve seen examples here of calculating duration for a transaction with multiple log events, but this one has the start and end times in a single event.
![alt text][1]
In the above example, I’ve tried
|eval myduration=STIN_END_DTM-STIN_BEG_DTM
And
|concurrency duration=STIN_END_DTM-STIN_BEG_DTM
both which take the command without error but does not create a duration field.
Please be gentle in telling me what I’m missing! Thanks.
[1]: /storage/temp/161176-splunkstart-end.png
↧