topic Re: To get duration of inspection in Splunk Enterprise

Calculate difference

AB24 — Tue, 09 May 2023 14:25:03 GMT

Re: To get duration of inspection

ITWhisperer — Tue, 09 May 2023 07:12:21 GMT

Try something like this

| where Device_Info == "Device Number" OR match(Device_Info,"\d+") | streamstats count(eval(Device_Info=="Device Number")) as Inspection_Count | stats values(eval(if(match(Device_Info, "\d+"),Device_Info,null()))) as Device_Info range(_time) as total_duration by Inspection_Count | where total_duration > 0 | streamstats reset_on_change=t count as Inspection_Count by Device_Info | eventstats sum(total_duration) as sum_duration by Device_Info | eval total_duration = total_duration / 60 | eval sum_duration = sum_duration / 60

Re: To get duration of inspection

AB24 — Tue, 09 May 2023 14:25:52 GMT

Thanks

Re: To get duration of inspection

ITWhisperer — Tue, 09 May 2023 09:13:30 GMT

Remove the reset_on_change=t

Re: To get duration of inspection

AB24 — Tue, 09 May 2023 09:40:03 GMT

Some Device_Info are merging in the result instead of one device_info per row it is two device_info per row

Re: To get duration of inspection

ITWhisperer — Tue, 09 May 2023 09:45:01 GMT

Perhaps if you shared some of your real events and results and your SPL, we might be able to advise you further. Vague descriptions of the issue and fake data means we can only offer solutions based what you have provided, and to that extent, the solution provided does work (but only with the fake data you provided)!