Solved: How do you determine the time difference between t...

muzicman61 · ‎01-21-2019

So I've read several previous questions on how to get the time difference between events, and they all seem to revolve around the transaction command. But that seems to then group my events and I don't want that.

My search gives me exactly what I want, but I'd simply like to determine the time difference between two events. I'm sure it's simple but I've spent too much time, so now, it is time to ask the community.

Thanks,
Rob

FrankVl · ‎01-22-2019

Should be possible to do that with the | streamstats command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):

...your current search...
| streamstats window=2 range(_time) as timediff

Or alternatively, using the | delta command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

...your current search...
| delta _time as timediff

View solution in original post

FrankVl · ‎01-22-2019

Should be possible to do that with the | streamstats command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):

...your current search...
| streamstats window=2 range(_time) as timediff

Or alternatively, using the | delta command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

...your current search...
| delta _time as timediff

muzicman61 · ‎01-22-2019

Thanks Frank. The delta command did exactly what I needed.

skoelpin · ‎01-21-2019

You should post your query which would make it easier for us to help you. Try adding an eval like this

| eval New_field_name=time_end - time_start

Replace New_field_name with your new field name. And replace time_end and time_start with your field names

muzicman61 · ‎01-21-2019

Thanks... Here is my query:

sourcetype="QMGR:manager" source="/opt/web/tomcat_instances/logs/tomcat_1/sessionmanager.sm.log.*" action ("540262" OR "15771078996")

But I'm not sure what field names I would substitute in your example.

skoelpin · ‎01-22-2019

You need to list the two fields that represent the start time and end time..

FrankVl · ‎01-22-2019

I think he is asking for time difference between 2 separate events, not the difference between 2 time fields in 1 event.

skoelpin · ‎01-22-2019

Ah I see. He mentioned using the transaction command and finding the difference. Garbage questions get garbage answers

muzicman61 · ‎01-22-2019

Sorry you think my question was garbage. I'm new to Splunk and trying my best to learn. If you read my first post I mention that OTHER posts mention the transaction command but that was not what I wanted as it grouped my transactions. Maybe some people just need to learn how to read.

skoelpin · ‎01-22-2019

You're question was vague with little details. If you want help on here, I'd strongly recommend you try not insulting users and add some effort into your questions..

How do you determine the time difference between two events?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!