Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do calculate log time between search result and next row ?

blueyuan
New Member
‎03-25-2016 02:26 AM

Hi All, I am studying splunk recently and need help about some question, thanks.
When I want to search one key word and want to calculate the key word and next row's time, what should I do?

For example:

1 25-Mar-2016 15:26:42.727 AAA

2 25-Mar-2016 15:26:43.420 BBB

3 25-Mar-2016 15:26:44.123 CCC

4 25-Mar-2016 15:26:45.861 AAA

5 25-Mar-2016 15:26:46.678 DDD

If I search AAA, so I can get two row(#1, #4), but I also want to get the time, like #2-#1(25-Mar-2016 15:26:43.420 - 25-Mar-2016 15:26:42.727) and #5-#4(25-Mar-2016 15:26:46.678 - 25-Mar-2016 15:26:45.861).
As a result, I can get the execute time from my key word to next row. Thank you very much.

0 Karma
Reply

somesoni2
Revered Legend
‎03-25-2016 07:42 AM

Try something like this

your current search giving output above | streamstats current=f window=1 values(_time) as prev_time | search filter for AAA | eval duration=prev_time-_time
0 Karma
Reply

blueyuan
New Member
‎03-28-2016 07:07 PM

Thank you for your help.

Sorry, clarify my example again, the raw data as follows(log files):

1 25-Mar-2016 15:26:42.727 mknvuxsgdflfkgnd;flkghj"AAA"dfkjbsljkfnlk;dsjrghfiljkh

2 25-Mar-2016 15:26:43.420 sflknl;kjpothfjhl;'fgj"BBB"ld;kfjgopiehrtoiey

3 25-Mar-2016 15:26:44.123 lk[pulikljs;lknlkaznsdkljafdja;bf;jaf;d"CCC"fsk;hedjfhgj;dgjlf'dkjsieujroiehto;

4 25-Mar-2016 15:26:45.861 hjghjkfghj[dportpwtp[l[yt"AAA",dl;ktypokrp[oytukopknsdjklfgahsd

5 25-Mar-2016 15:26:46.678 mkajerohqauwiheigbsldl"DDD",sodpktpoir[pyujjs;hltfuish;

......

So the row data not only have AAA or BBB..., and data is from original log files.

I used your answer to search, but no results found, so need your help again, thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...