https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612248#M13837 <P>Hi Whiser,<BR />&nbsp; &nbsp; &nbsp; &nbsp;Thanks a lot...It is working for me</P> Wed, 07 Sep 2022 11:17:15 GMT vineela 2022-09-07T11:17:15Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612232#M13835 <P>&nbsp;I have two events with start and end process and i need to calculate the time difference between the start process and end process of id but the fields are not configured,&nbsp;<BR />The data is like below:<BR />Start process:<BR /><SPAN>{"</SPAN><SPAN class="">log</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"[</SPAN><SPAN class="">16:43:39.451</SPAN><SPAN>] [</SPAN><SPAN class="">INFO</SPAN><SPAN> ] [] [</SPAN><SPAN class="">c.c.n.m.a.n.a.b.i.DefaultNotificationAuthService</SPAN><SPAN>] [] </SPAN><SPAN class="">-</SPAN> <STRONG><SPAN class=""><SPAN class="">Creating</SPAN> <SPAN class="">notification</SPAN> <SPAN class="">auth</SPAN> <SPAN class="">flow</SPAN></SPAN></STRONG> <SPAN class="">for</SPAN> <SPAN class="">idempotencyKey</SPAN> <STRONG><SPAN class="">8532923</SPAN></STRONG><SPAN class="">_default</SPAN> <SPAN class="">as</SPAN> <SPAN class="">entityId</SPAN> <SPAN class="">Qb4RmEiaR6-zp8FU8MsyQQ</SPAN> <SPAN class="">\n</SPAN><SPAN>","</SPAN><SPAN class="">stream</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">stdout</SPAN><SPAN>","</SPAN><SPAN class="">docker</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">container_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81</SPAN><SPAN>"},"</SPAN><SPAN class="">kubernetes</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">container_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">mms-au</SPAN><SPAN>","</SPAN><SPAN class="">namespace_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">msaas-t5</SPAN><SPAN>","</SPAN><SPAN class="">pod_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">mms-au-b-1-685f9fd75d-4bz87</SPAN><SPAN>","</SPAN><SPAN class="">container_image</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725</SPAN><SPAN>",}<BR /><BR /></SPAN></P> <P>End process :<BR /><SPAN>{"</SPAN><SPAN class="">log</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"[</SPAN><SPAN class="">16:43:39.876</SPAN><SPAN>] [</SPAN><SPAN class="">INFO</SPAN><SPAN> ] [] [</SPAN><SPAN class="">c.c.n.m.a.n.s.j.NotificationJMSProducer</SPAN><SPAN>] [</SPAN><SPAN class="">akka://MmsAuCluster/system/sharding/notificationAuthBpmn/5/Qb4RmEiaR6-zp8FU8MsyQQ_5/Qb4RmEiaR6-zp8FU8MsyQQ</SPAN><SPAN>] </SPAN><SPAN class="">-</SPAN> <STRONG><SPAN class=""><SPAN class="">Submitting</SPAN> <SPAN class="">Enriched</SPAN> <SPAN class="">Notification</SPAN></SPAN> <SPAN class="">for</SPAN> <SPAN class="">id</SPAN> <SPAN class="">8532923</SPAN></STRONG> <SPAN class="">\n</SPAN><SPAN>","</SPAN><SPAN class="">stream</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">stdout</SPAN><SPAN>","</SPAN><SPAN class="">docker</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">container_id</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">cd1c24ba236b3aca14151619a174176957213d860408addfb964e6bd3ec04b81</SPAN><SPAN>"},"</SPAN><SPAN class="">kubernetes</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>{"</SPAN><SPAN class="">container_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">mms-au</SPAN><SPAN>","</SPAN><SPAN class="">namespace_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">msaas-t5</SPAN><SPAN>","</SPAN><SPAN class="">pod_name</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">mms-au-b-1-685f9fd75d-4bz87</SPAN><SPAN>","</SPAN><SPAN class="">container_image</SPAN><SPAN>"</SPAN><SPAN class="">:</SPAN><SPAN>"</SPAN><SPAN class="">pso.docker.internal.cba/mms-au:2.3.1-0-1-5634ab725</SPAN><SPAN>",<BR /><BR /></SPAN>Need to calculate time difference between the above 2 events called "<STRONG><SPAN class=""><SPAN class="">Creating</SPAN> <SPAN class="">notification</SPAN> <SPAN class="">auth</SPAN> <SPAN class="">flow</SPAN></SPAN></STRONG>&nbsp;" and "<STRONG><SPAN class=""><SPAN class="">Submitting</SPAN> <SPAN class="">Enriched</SPAN> <SPAN class="">Notification".<BR /></SPAN></SPAN></STRONG><SPAN class=""><SPAN class="">Is this possible to do in splunk and if possible,how can we achieve it?</SPAN></SPAN><SPAN class=""><SPAN class=""><BR />Thanks in Advance</SPAN></SPAN></P> Wed, 07 Sep 2022 16:51:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612232#M13835 vineela 2022-09-07T16:51:44Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612236#M13836 <P>There are a number of ways to do this - does this way work for you?</P><LI-CODE lang="markup">| rex "(Creating notification auth flow for idempotencyKey|Submitting Enriched Notification for id)\s(?&lt;key&gt;\d+)" | stats range(_time) as timediff by key</LI-CODE> Wed, 07 Sep 2022 10:32:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612236#M13836 ITWhisperer 2022-09-07T10:32:50Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612248#M13837 <P>Hi Whiser,<BR />&nbsp; &nbsp; &nbsp; &nbsp;Thanks a lot...It is working for me</P> Wed, 07 Sep 2022 11:17:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-calculate-time-difference-between-two-events/m-p/612248#M13837 vineela 2022-09-07T11:17:15Z