Hello Spelunkers,
I have a Splunk query problem that I can't seem to solve.
index=prod-web-apps sourcetype=csv-emailevents (EventName=delivered OR EventName=processed)
| head 100
| table EmailID, EventName, DateScheduled, DateSent, DateIndexed, Time.SendGrid
| Sort -EmailID
Table is only included to illustrate the data in the screen shot.
Screenshot:
What I want to do, is join the delivered event to the processed event on thier EmailID and then take the difference between thier respective DateIndexed epoch time as a new field as follows:
| eval TimeInSendGrid=DeliveredEvent.DateIndexed-ProcessedEvent.DateIndexed
Thanks in advance!
... View more