- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate time difference between two speci...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate time difference between two specific events?
I want to be able to calculate the time difference between 2 events, through their timestamps, for a specific serial Number.
Event 1: when segmentID=0 and phase=mapStart
Event 2: when phase=integrationEnd
(where segmentID and phase are fields on Splunk).
I don't want to combine searches but I want to be able to compute them using eval commands.
deviceID="ABCD" | eval field 1= (...when segmentID=0 and phase=mapStart....) | eval field 2=(...when phase=integrationEnd....)| eval difference=field1- field2
...where field 1 and field 2 would be the timestamps for both those events extracted.
I feel like it's a pretty simple scenario but I'm not able to extract time values for the two specific events. Thanks for any help in this regard!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a new situation where I'm looking at the time difference between the first and the last segment for a specific serial number i.e.,
Event 1: When segmentID=0 and phase=mapStart
Event2: When segmentID=(largest segment value) and phase=mapEnd.
The problem here is that the segment numbers vary according to device, and I want my query to be able to identify the highest segment ID. Here's my altered query but I think the portion highlighted is incorrect.
sourcetype="algorithmjoblog" serialNumber="NTEST0872B" | stats max(segmentId) as lastSeg | transaction startswith=(segmentId=0 phase=mapStart) endswith=(segmentId=lastSeg phase=mapEnd)| table duration
Any corrections/alternatives would help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How many output rows you're expecting, just one row per deviceID?? If yes then you can try stats/chart command as well
deviceID="ABCD" (segmentID=0 and phase=mapStart) OR phase=integrationEnd | chart max(_time) over deviceID by phase | eval duration_in_secs=mapStart - mapEnd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I might need sample data for this, but I'll try without. Does this work?
deviceID="ABCD" | transaction startswith=(segmentID=0 phase=mapStart) endswith=(phase=integrationEnd)| table duration
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
