Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference between two timestamps to get the duration of a video call?

murat89
New Member
‎02-27-2018 12:18 PM

Hi guys,

im a beginner in Splunk and my issue is that I have Cisco logs and I need to find out the conference duration but there is no field like duration so I have to make it through timestamps.
Below you can see that kind of log and I don't know how to get the timestamps and then calculate the difference between them, please help, im thankful for any idea.

Just a part of Cisco log:
2814 2018/01/22 09:56:39.008 APP Info conference "Terminal 1" created
2846 2018/01/22 12:01:30.213 APP Info conference "Terminal 1": deleted via API (no participants)

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-04-2018 10:49 AM

@murat89, based on the sample data provided please try the following run anywhere search.

PS: First 5 pipes from makeresults to rename are used to generate the mock data. Also while I have extracted _time using rex, you might need the rex command from APP Info conference onward as your data will have timestamp extracted already.

| makeresults
| eval data="2814 2018/01/22 09:56:39.008 APP Info conference \"Terminal 1\" created;2846 2018/01/22 12:01:30.213 APP Info conference \"Terminal 1\": deleted via API (no participants)"
| makemv data delim=";" 
| mvexpand data
| rename data as _raw
| rex "\d{4}\s(?<_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}.\d{3})\sAPP Info conference\s\"(?<id>[^\"]+)\"(\s|\:)+(?<status>\w+)"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S.%3N")
| stats first(_time) as _time last(_time) as EndTime values(status) as status by id
| search status=created AND status=deleted
| eval duration=EndTime-_time
| fields - EndTime
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2018 12:46 PM

Best (in terms of performance) is to use stats on a field (or group of fields), preferably a primary key which is common between both type of events (conference start and end) and can uniquely identify the conference. For example, if there is field call conference_id in your logs, you can do something like this

index=YourIndex sourcetype=YourCiscoSourcetype (conference created) OR (conference deleted)
| eval confStart=if(searchmatch("conference created"),"_time,null())
| eval confEnd=if(searchmatch("conference deleted"),"_time,null())
| stats values(confStart) as confStart values(confEnd) as confEnd by conference_id
| eval "duration(in secs)"=confEnd-confStart
0 Karma
Reply

murat89
New Member
‎02-28-2018 02:43 AM

Thank you, great solution, i really appreciate that. Unfortunately there is no conference_id but we do have the conference name, here it is "Terminal 1". How to do with that?

0 Karma
Reply

starcher
Influencer
‎03-04-2018 07:34 AM

Extract the data where the name is to a field called conference_name and change out the by conference_id.

0 Karma
Reply

murat89
New Member
‎03-04-2018 03:24 PM

I have never created a field in Splunk, I know how to create an event type, a field seems little different to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...