Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate a search that will combine two events with different fields that contain the same value and calculate response time?

arjangoos
Path Finder
‎11-02-2016 08:40 AM

I want to combine two events based on different fields (ID and PARENT_ID) that have the same value and then find the difference of CREATION_TIMESTAMP of event1 and the CREATION_TIMESTAMP of event2, in order to calculate the response time.

event 1

ID =1, PARENT_ID=NULL, CREATION_TIMESTAMP=1478097923354

event 2

ID=2, PARENT_ID=1, CREATION_TIMESTAMP=1478097924800
0 Karma
Reply

cmerriman
Super Champion
‎11-02-2016 09:23 AM

so when ID=1 and PARENT_ID=1, you want to join?

if so, try something like this:

....|appendpipe [stats max(CREATION_TIMESTAMP) as CREATION_TIMESTAMP2 by PARENT_ID|rename PARENT_ID as ID]|stats values(CREATION_TIMESTAMP) as CREATION_TIMESTAMP values(CREATION_TIMESTAMP2) as CREATION_TIMESTAMP2 by ID|eval timeDiff=CREATION_TIMESTAMP2-CREATION_TIMESTAMP
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...