topic Re: How do you determine the time difference between two events? in Splunk Search

How do you determine the time difference between two events?

muzicman61 — Mon, 21 Jan 2019 17:58:53 GMT

So I've read several previous questions on how to get the time difference between events, and they all seem to revolve around the transaction command. But that seems to then group my events and I don't want that.

My search gives me exactly what I want, but I'd simply like to determine the time difference between two events. I'm sure it's simple but I've spent too much time, so now, it is time to ask the community.

Thanks,
Rob

Re: How do you determine the time difference between two events?

skoelpin — Mon, 21 Jan 2019 18:06:58 GMT

You should post your query which would make it easier for us to help you. Try adding an eval like this

| eval New_field_name=time_end - time_start

Replace New_field_name with your new field name. And replace time_end and time_start with your field names

Re: How do you determine the time difference between two events?

muzicman61 — Tue, 29 Sep 2020 22:51:30 GMT

Thanks... Here is my query:

sourcetype="QMGR:manager" source="/opt/web/tomcat_instances/logs/tomcat_1/sessionmanager.sm.log.*" action ("540262" OR "15771078996")

But I'm not sure what field names I would substitute in your example.

Re: How do you determine the time difference between two events?

skoelpin — Tue, 22 Jan 2019 14:33:00 GMT

You need to list the two fields that represent the start time and end time..

Re: How do you determine the time difference between two events?

FrankVl — Tue, 22 Jan 2019 15:28:38 GMT

I think he is asking for time difference between 2 separate events, not the difference between 2 time fields in 1 event.

Re: How do you determine the time difference between two events?

FrankVl — Tue, 22 Jan 2019 15:30:48 GMT

Should be possible to do that with the | streamstats command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):

...your current search...
| streamstats window=2 range(_time) as timediff

Or alternatively, using the | delta command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

...your current search...
| delta _time as timediff

Re: How do you determine the time difference between two events?

skoelpin — Tue, 22 Jan 2019 15:33:15 GMT

Ah I see. He mentioned using the transaction command and finding the difference. Garbage questions get garbage answers

Re: How do you determine the time difference between two events?

muzicman61 — Tue, 22 Jan 2019 16:01:35 GMT

Sorry you think my question was garbage. I'm new to Splunk and trying my best to learn. If you read my first post I mention that OTHER posts mention the transaction command but that was not what I wanted as it grouped my transactions. Maybe some people just need to learn how to read.

Re: How do you determine the time difference between two events?

muzicman61 — Tue, 22 Jan 2019 16:04:34 GMT

Thanks Frank. The delta command did exactly what I needed.

Re: How do you determine the time difference between two events?

skoelpin — Tue, 22 Jan 2019 16:09:10 GMT

You're question was vague with little details. If you want help on here, I'd strongly recommend you try not insulting users and add some effort into your questions..