https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-the-difference-between-timestamps/m-p/125753#M25925 <P><CODE>Transaction</CODE> automatically creates a field called <CODE>duration</CODE> that is the difference between the earliest and latest events in the transaction. If your <CODE>Timestamp</CODE> field is the same as the <CODE>_time</CODE> field in each event, the work is already done for you. </P> <P>Just a side note, I'd recommend beefing up your transaction definition so that you can ensure the events that are paired together actually go together. By default, transaction combines events based on time, so if you have two CalculateTaxRequests start one after another, they could be combined into a transaction and your statistics would be off. Perhaps a transaction definition like this?</P> <PRE><CODE>index=all GUID="*" AND *calculatetax* Timestamp="*" | transaction GUID startswith=CalculateTaxRequests endswith=CalculateTaxResponse maxevents=2 </CODE></PRE> Tue, 03 Feb 2015 20:11:04 GMT wpreston 2015-02-03T20:11:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-the-difference-between-timestamps/m-p/125752#M25924 <P>I have a lot of SOAP request/response pairs indexed in Splunk. One of those are CalculateTaxRequest and CalculateTaxResponse. So when the call is made it will show <CODE>23:59:04,108</CODE> and <CODE>23:59:04,437</CODE> respectfully (hour/minute/second/millisecond). I have created a new field called TimeStamp which extracts the time for each call. I then wrote a search for <CODE>...|transaction maxevents=2</CODE> and assigned another field (GUID) which matches the unique identifiers for the request/response in one field. </P> <P>My current query is:</P> <PRE><CODE>index=all GUID="*" AND *calculatetax* Timestamp="*" | transaction maxevents=2 </CODE></PRE> <P>This search returns the request and response for calculatetax in the same field along with returning the timestamp for both fields. So now I would like to take those 2 timestamps and subtract them and have another field output the difference between the two in the same field. I'm doing this so I don't have to manually calculate the difference and see which services too longer then the others. Thanks in advance! </P> Tue, 03 Feb 2015 18:53:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-the-difference-between-timestamps/m-p/125752#M25924 skoelpin 2015-02-03T18:53:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-the-difference-between-timestamps/m-p/125753#M25925 <P><CODE>Transaction</CODE> automatically creates a field called <CODE>duration</CODE> that is the difference between the earliest and latest events in the transaction. If your <CODE>Timestamp</CODE> field is the same as the <CODE>_time</CODE> field in each event, the work is already done for you. </P> <P>Just a side note, I'd recommend beefing up your transaction definition so that you can ensure the events that are paired together actually go together. By default, transaction combines events based on time, so if you have two CalculateTaxRequests start one after another, they could be combined into a transaction and your statistics would be off. Perhaps a transaction definition like this?</P> <PRE><CODE>index=all GUID="*" AND *calculatetax* Timestamp="*" | transaction GUID startswith=CalculateTaxRequests endswith=CalculateTaxResponse maxevents=2 </CODE></PRE> Tue, 03 Feb 2015 20:11:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-calculate-the-difference-between-timestamps/m-p/125753#M25925 wpreston 2015-02-03T20:11:04Z