<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to find the time difference between values in the same field in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253791#M48712</link>
    <description>&lt;P&gt;It worked! Thank you&lt;/P&gt;</description>
    <pubDate>Mon, 25 Jan 2016 22:13:43 GMT</pubDate>
    <dc:creator>raby1996</dc:creator>
    <dc:date>2016-01-25T22:13:43Z</dc:date>
    <item>
      <title>How to find the time difference between values in the same field</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253789#M48710</link>
      <description>&lt;P&gt;Hi all,&lt;BR /&gt;
I have a field that i am calling "code_load_date" and I am running a stats command that groups them by associated serial number and code level, so essentially the events look like this-&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;Serial            Code                 code_load_date
8k12              1.1                     1/01/15
--------------------------------------------------------------------         
8k13              1.2                     01/01/15
                  1.3                     01/11/15
                  1.4                     01/22/15
--------------------------------------------------------------------
8k14              1.2                     01/01/15
                  1.3                     01/15/15
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;and essentially I want to find the difference in the days between each date (code_load_date) that code was loaded onto a machine (serial) between each new code level so my desired results would look something like this-&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;    Serial            Code                 code_load_date          time_difference
    8k12              1.1                     1/01/15                       0
    ---------------------------------         
    8k13              1.2                     01/01/15                      10
                      1.3                     01/11/15                      11
                      1.4                     01/22/15
    --------------------------------
    8k14              1.2                     01/01/15                      14
                      1.3                     01/15/15
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Is there any way that this can be achieved? Thank you in advance.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 08:35:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253789#M48710</guid>
      <dc:creator>raby1996</dc:creator>
      <dc:date>2020-09-29T08:35:19Z</dc:date>
    </item>
    <item>
      <title>Re: How to find the time difference between values in the same field</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253790#M48711</link>
      <description>&lt;P&gt;I'm guessing your query looks like this&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;your search before stats | stats values(Code) as Code values(code_load_date) as code_load_date by Serial
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Try something like this&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;your search before stats | sort Serial code_load_date | streamstats current=f window=1 values(code_load_date) as prev by Serial | eval time_diff=round(strptime(code_load_date,"%m/%d/%y")-strptime(prev,"%m/%d/%y"))/86400)  | stats values(Code) as Code values(code_load_date) as code_load_date values(time_difference) as time_difference by Serial | fillnull value=0 time_difference
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 25 Jan 2016 21:49:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253790#M48711</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2016-01-25T21:49:37Z</dc:date>
    </item>
    <item>
      <title>Re: How to find the time difference between values in the same field</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253791#M48712</link>
      <description>&lt;P&gt;It worked! Thank you&lt;/P&gt;</description>
      <pubDate>Mon, 25 Jan 2016 22:13:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-find-the-time-difference-between-values-in-the-same-field/m-p/253791#M48712</guid>
      <dc:creator>raby1996</dc:creator>
      <dc:date>2016-01-25T22:13:43Z</dc:date>
    </item>
  </channel>
</rss>

