<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Find time difference between two events with specific condition in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481343#M82513</link>
    <description>&lt;PRE&gt;&lt;CODE&gt;such as text msg, app redirect, direct openning app, etc
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In the log, is written up?&lt;/P&gt;</description>
    <pubDate>Mon, 02 Mar 2020 21:46:09 GMT</pubDate>
    <dc:creator>to4kawa</dc:creator>
    <dc:date>2020-03-02T21:46:09Z</dc:date>
    <item>
      <title>Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481339#M82509</link>
      <description>&lt;P&gt;So i have numerous logs regarding user accessing app to order food for delivery. &lt;BR /&gt;
based on the session id, and user id, I'm able to find the first and last timestamp of each session and calculate the duration of it. &lt;BR /&gt;
However, I also want to calculate the duration between user firstly access the app and the moment the user places order. &lt;BR /&gt;
basically each step the users engages with the app, there's a specific API for it. so the moment the user places order , there's field called route_path: API/place_order. I simply want to find out the timestamp where user placed order using this route_path field and find difference, anyone could help? appreciate it. &lt;/P&gt;

&lt;P&gt;the current query only finds the first and last timestamp for each session. &lt;/P&gt;

&lt;P&gt;index="some jason file" stats earliest(_time) as first,latest(_time) as last values(user_id) as user_id by  session_id | convert ctime(first) as First ctime(last) as Last  |eval duration=last-first | eval difference=strftime(duration,"%m/%d-%Y %H:%M:%S") | eval entire_session_duration=tostring(duration, "duration") | eval entire_session_time = replace(entire_session_duration,"(?:()+)?0?(\d+):0?(\d+):0?(\d+)"," \2h \3m \4s") | table user_id   user_id  session_id First Last entire_session_duration entire_session_time | search session_id!=""&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:23:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481339#M82509</guid>
      <dc:creator>jamie0510</dc:creator>
      <dc:date>2020-09-30T04:23:20Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481340#M82510</link>
      <description>&lt;P&gt;Just add the filters in your base search for specific API calls. E.g.  &lt;CODE&gt;index="some jason file" api="first_access_api_name" OR api="plac_order_api_name"&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 19:42:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481340#M82510</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2020-03-02T19:42:55Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481341#M82511</link>
      <description>&lt;P&gt;Firs things first, you should rewrite the query to include the steps. You should add a &lt;CODE&gt;stats&lt;/CODE&gt; command by &lt;CODE&gt;&amp;lt;said field&amp;gt;&lt;/CODE&gt;. This will give you the time for each action. Once you have this in a tabular format, you can than do another &lt;CODE&gt;stats&lt;/CODE&gt; on the data to find the difference in timestamp between the last action and first action which would give you the result you're looking for &lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 20:08:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481341#M82511</guid>
      <dc:creator>skoelpin</dc:creator>
      <dc:date>2020-03-02T20:08:22Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481342#M82512</link>
      <description>&lt;P&gt;thanks, the fact is the first access api name varies as the user may open the app from different sources, such as text msg, app redirect, direct openning app, etc. so I couldn't specify the api for first access.&lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 20:47:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481342#M82512</guid>
      <dc:creator>jamie0510</dc:creator>
      <dc:date>2020-03-02T20:47:25Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481343#M82513</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;such as text msg, app redirect, direct openning app, etc
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In the log, is written up?&lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 21:46:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481343#M82513</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-03-02T21:46:09Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481344#M82514</link>
      <description>&lt;P&gt;each of those are indicated by specific API name.  I thought about getting timestamp by include all possible API names upon first access. However, some APIs have multiple occurrences in a session. not like api/place_order, which will only occur once in a session, API such as API/shop etc may occur multiples times during a session because user click around here and there leading to duplicate logs basically.  Thanks.&lt;/P&gt;

&lt;P&gt;here's the example for better illustration. &lt;BR /&gt;
&lt;A href="https://gyazo.com/c123c1fe28b169ef8fc93cce60516828"&gt;https://gyazo.com/c123c1fe28b169ef8fc93cce60516828&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 21:58:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481344#M82514</guid>
      <dc:creator>jamie0510</dc:creator>
      <dc:date>2020-03-02T21:58:23Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481345#M82515</link>
      <description>&lt;P&gt;thanks i will look into. &lt;/P&gt;</description>
      <pubDate>Mon, 02 Mar 2020 21:58:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481345#M82515</guid>
      <dc:creator>jamie0510</dc:creator>
      <dc:date>2020-03-02T21:58:49Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481346#M82516</link>
      <description>&lt;P&gt;explore the transaction command using the session_id.&lt;BR /&gt;
alternatively, you can use stats range(_time) by session_id&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:26:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481346#M82516</guid>
      <dc:creator>anmolpatel</dc:creator>
      <dc:date>2020-09-30T04:26:51Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481347#M82517</link>
      <description>&lt;P&gt;UPDATE:(except route_path="api/place_order")&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index="some json file"
| reverse
| streamstats current=f count(eval(route_path="api/place_order")) as session by user_id session_id
| stats range(_time) as duration min(_time) as First max(eval(if(route_path!="api/place_order",_time,NULL))) as Last by user_id session_id session
| eval entire_session_duration=tostring(duration, "duration") 
| eval entire_session_time = replace(entire_session_duration,"(?:()+)?0?(\d+):0?(\d+):0?(\d+)"," \2h \3m \4s") 
| convert ctime(First) ctime(Last)
| table user_id session_id First Last entire_session_duration entire_session_time 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Hi,@jamie0510 &lt;BR /&gt;
How about this?&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:23:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481347#M82517</guid>
      <dc:creator>to4kawa</dc:creator>
      <dc:date>2020-09-30T04:23:44Z</dc:date>
    </item>
    <item>
      <title>Re: Find time difference between two events with specific condition</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481348#M82518</link>
      <description>&lt;P&gt;thanks for the effort, so I want to extract the time not count for the route_path="api/place_order", is there a relative time command i can use ? &lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:23:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Find-time-difference-between-two-events-with-specific-condition/m-p/481348#M82518</guid>
      <dc:creator>jamie0510</dc:creator>
      <dc:date>2020-09-30T04:23:49Z</dc:date>
    </item>
  </channel>
</rss>

