Finding the duration of a process using the time stamp from a log file

Follow

Radha Unknown

• March 25, 2018 05:32

My log file is a windows log file that has 2 fields, TIME and Message. In our logs we log messages from a device  during a process from start to finish. I want to caliberate the time taken from start to finish. The start command is in the message text and the finish command is in the message text. How can I find the two commands from the message for a give Device Serial number and find the diff (finish - start) to know the duration of the process?

 

 

0

• 

  Olaf Stein

  • March 25, 2018 19:55

  Hi Radha,

  there are 2 operators that come to mind when correlating: transaction and transactionize

  https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics

  https://help.sumologic.com/Search/Search-Query-Language/Transaction-Analytics/Transactionize-operator

  With both you can get the time diff between 2 or more events. I would start with:

  | transactionize deviceserialnum

  This produces a field _group_duration in ms

  You can add the startsWith parameter for this operator if many of these occur at the same time:

  | transactionize deviceserialnum startsWith="start message"; strict

  strict is optional.

  Thanks

  Olaf

   

  startsWith

   

   

  0

  Comment actions Permalink
• 

  Radha Unknown

  • April 05, 2018 15:28

  Olaf, thank you. How do I write 2 events in the same query? 

   

  0

  Comment actions Permalink

Please sign in to leave a comment.