- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I get the amount of time between event ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Say you have a stream of events, such as web page accesses. There is no field for amount of time on a certain page, so I am interested in getting the time between event A and the next newer event temporally, event B.
I need this difference to appear in a field associated with event A, so I can say a user spent X amount of time at webpage A. This will likely be used in a transaction to differentiate clickstreams by user.
Is there such a thing as "time until next event" ? Any advice would be helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out:
| streamstats range(_time) as Duration window=2
Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your list of events is in chronological order and belongs to a single user, you can try this:
*| delta _time as timeSpentOnPreviousPage | accum timeSpentOnPreviousPage as totalTime
From your 2nd event on you will get for each event a timeSpentOnPreviousPage and totalTime field containing running time difference between events, and running total time, respectively.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out:
| streamstats range(_time) as Duration window=2
Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It goes in strictly event order, so if you have things like web_page and src_ip, you will need to sort by web_page (or provide some other arguments to streamstats) first, otherwise you will get absolute time between events, not between a particular user's events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to use a transaction command that starts and stops with each event. From there, we automatically create a "duration" field that logs the amount of time between them. Alternatively, you could evaluate the difference in the _time field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, using the alternative method, how would you access a separate event's _time to eval it with the current one?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested and for events A, B, C, D, there are only two transactions, AB and CD. Thus, the time between B and C is inaccessible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For events A, B, C, D, would this approach create transactions of A/B, C/D, or A/B, B/C, C/D? If the former, then the B event would get no duration, and disappear from the results.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
