So I've read several previous questions on how to get the time difference between events, and they all seem to revolve around the transaction command. But that seems to then group my events and I don't want that.
My search gives me exactly what I want, but I'd simply like to determine the time difference between two events. I'm sure it's simple but I've spent too much time, so now, it is time to ask the community.
Thanks,
Rob
Should be possible to do that with the | streamstats
command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats
In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):
...your current search...
| streamstats window=2 range(_time) as timediff
Or alternatively, using the | delta
command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta
...your current search...
| delta _time as timediff
Should be possible to do that with the | streamstats
command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats
In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):
...your current search...
| streamstats window=2 range(_time) as timediff
Or alternatively, using the | delta
command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta
...your current search...
| delta _time as timediff
Thanks Frank. The delta command did exactly what I needed.
You should post your query which would make it easier for us to help you. Try adding an eval
like this
| eval New_field_name=time_end - time_start
Replace New_field_name
with your new field name. And replace time_end
and time_start
with your field names
Thanks... Here is my query:
sourcetype="QMGR:manager" source="/opt/web/tomcat_instances/logs/tomcat_1/sessionmanager.sm.log.*" action ("540262" OR "15771078996")
But I'm not sure what field names I would substitute in your example.
You need to list the two fields that represent the start time and end time..
I think he is asking for time difference between 2 separate events, not the difference between 2 time fields in 1 event.
Ah I see. He mentioned using the transaction command and finding the difference. Garbage questions get garbage answers
Sorry you think my question was garbage. I'm new to Splunk and trying my best to learn. If you read my first post I mention that OTHER posts mention the transaction command but that was not what I wanted as it grouped my transactions. Maybe some people just need to learn how to read.
You're question was vague with little details. If you want help on here, I'd strongly recommend you try not insulting users and add some effort into your questions..