Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the time range between two events?

shenjunwei
New Member
‎06-24-2016 12:52 AM

I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n

Time Offset Word1
978         Start                      -------> A.1
1152           Start                           -------> A.2
1358           Start                           -------> A.3
1375           Controller                    -------> B.1
1569           Start                             -------> A.4
1577           Controller                    -------> B.2
1771           Controller                    -------> B.3
1965           Start                              -------> A.5
2095           Controller                     -------> B.4
2167           Start                               -------> A.6
2348           Start                               -------> A.7
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2016 07:22 AM 
  ... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
 | eval timeb1=if(match(_raw,".*B\.1.*"),_time,null()) 
  | eval Tab1=timea1-timeb1 
  | table timea1 timeb2 Tab1

Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.

0 Karma
Reply

shenjunwei
New Member
‎06-26-2016 06:19 PM

Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start

1152 Start

1358 Start

1375 Controller

1569 Start

1577 Controller

1771 Controller

1965 Start

2095 Controller

2167 Start

2348 Start

Is there any way which could calculate the difference between first start and controller, and the subsequence?

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 11:13 AM

Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?

Reply

shenjunwei
New Member
‎06-26-2016 06:13 PM

Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...