Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do calculate log time between search result and next row ?

blueyuan
New Member
‎03-25-2016 02:26 AM

Hi All, I am studying splunk recently and need help about some question, thanks.
When I want to search one key word and want to calculate the key word and next row's time, what should I do?

For example:

1 25-Mar-2016 15:26:42.727 AAA

2 25-Mar-2016 15:26:43.420 BBB

3 25-Mar-2016 15:26:44.123 CCC

4 25-Mar-2016 15:26:45.861 AAA

5 25-Mar-2016 15:26:46.678 DDD

If I search AAA, so I can get two row(#1, #4), but I also want to get the time, like #2-#1(25-Mar-2016 15:26:43.420 - 25-Mar-2016 15:26:42.727) and #5-#4(25-Mar-2016 15:26:46.678 - 25-Mar-2016 15:26:45.861).
As a result, I can get the execute time from my key word to next row. Thank you very much.

0 Karma
Reply

somesoni2
Revered Legend
‎03-25-2016 07:42 AM

Try something like this

your current search giving output above | streamstats current=f window=1 values(_time) as prev_time | search filter for AAA | eval duration=prev_time-_time
0 Karma
Reply

blueyuan
New Member
‎03-28-2016 07:07 PM

Thank you for your help.

Sorry, clarify my example again, the raw data as follows(log files):

1 25-Mar-2016 15:26:42.727 mknvuxsgdflfkgnd;flkghj"AAA"dfkjbsljkfnlk;dsjrghfiljkh

2 25-Mar-2016 15:26:43.420 sflknl;kjpothfjhl;'fgj"BBB"ld;kfjgopiehrtoiey

3 25-Mar-2016 15:26:44.123 lk[pulikljs;lknlkaznsdkljafdja;bf;jaf;d"CCC"fsk;hedjfhgj;dgjlf'dkjsieujroiehto;

4 25-Mar-2016 15:26:45.861 hjghjkfghj[dportpwtp[l[yt"AAA",dl;ktypokrp[oytukopknsdjklfgahsd

5 25-Mar-2016 15:26:46.678 mkajerohqauwiheigbsldl"DDD",sodpktpoir[pyujjs;hltfuish;

......

So the row data not only have AAA or BBB..., and data is from original log files.

I used your answer to search, but no results found, so need your help again, thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...