topic how to calculate 2 events with same values difference in Splunk Dev

how to calculate 2 events with same values difference

Annna — Fri, 26 Mar 2021 11:48:24 GMT

i am looking difference of 2 events in one source file and those events having same values and have to calculate difference.

After append search got below values.

_time	Customer	order
2021-03-25 08:30:28.485	123456
2021-03-25 03:53:57.201	123457
2021-03-25 04:43:50.254	123458
2021-03-25 12:59:31.464	123459
2021-03-25 08:30:28.485		123456
2021-03-25 03:53:57.201		123457
2021-03-25 04:48:50.254		123458
2021-03-25 12:59:31.464	123451
2021-03-25 22:59:31.464	123452
2021-03-25 04:59:31.464	123454
2021-03-25 04:59:33.464		123454
2021-03-25 05:00:31.464	123454
2021-03-25 05:05:31.464	123454
2021-03-25 05:10:35.464		123454

Output be like:

Starttime	EndTime	ID	(Start- END)Diff
2021-03-25 08:30:28.485	2021-03-25 08:30:28.485	123456
2021-03-25 03:53:57.201	2021-03-25 03:53:57.201	123457
2021-03-25 04:43:50.254	2021-03-25 04:48:50.254	123458
2021-03-25 04:59:31.464	2021-03-25 04:59:33.464	123454
2021-03-25 05:05:31.464	2021-03-25 05:10:35.464	123454

i am trying to take like below but all values are not coming properly and after calculating the difference i have to visualization greater than 10 mins chart.

Thanks in advance.

Re: how to calculate 2 events with same values difference

ITWhisperer — Fri, 26 Mar 2021 13:21:15 GMT

Obviously, there are a couple of situations in your data that you need to cope with, e.g. 123454 "starts" multiple times and you appear to only want the most recent start for your calculation, and a number of starts which don't have ends e.g. 123459

Re: how to calculate 2 events with same values difference

Annna — Mon, 29 Mar 2021 13:30:01 GMT

Thanks for the quick reply.