https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59001#M14533 <P>The first search worked great, but the results scared me. Thanks for the help. I was definitely making it more complicated than I should have.</P> Fri, 25 May 2012 18:42:16 GMT nelsonb 2012-05-25T18:42:16Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/58999#M14531 <P>I'm unable to get this search to output anything except the _time of the first search:</P> <P><CODE>|set diff [ search index="collect" host="app*" | regex _raw="backgroundWorkerLoad\w+Completed(?!\sEND)" | dedup source | rename _time AS time_one ] [ search index="collect" host="app*" | regex _raw="backgroundWorkerLoad\w+Completed\sEND" | dedup source | rename _time AS time_two ] | convert timeformat="%H:%M:%S" ctime(time_one) ctime(time_two) | eval duration=time_two-time_one | table source time_one time_two duration</CODE></P> <P>anyway it's a logfile that timestamps when the backgroundworker sub starts a routine followed by another entry where it ENDs. It happens multiple times per source so dedup being used in this way probably isn't the best idea. There are many difference sources being indexed each with a unique name. Is this the way to do this? Thanks in advance. </P> Wed, 23 May 2012 21:51:11 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/58999#M14531 nelsonb 2012-05-23T21:51:11Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59000#M14532 <PRE><CODE>index=collect host=app* "backgroundWorkLoad Completed" | stats range(_time) as duration earliest(_time) as time_one latest(_time) as time_two by source </CODE></PRE> <P>will probably get you the right results efficiently. Otherwise:</P> <PRE><CODE>index=collect host=app* "backgroundWorkLoad Completed" | eval time_one=if(match(_raw, "backgroundWorkerLoad\w+Completed(?!\sEND)"),_time,null() | eval time_two=if(match(_raw, "backgroundWorkerLoad\w+Completed\sEND"),_time,null()) | stats earliest(time_one) as time_one latest(time_two) as time_two by source | eval duration=time_two-time_one </CODE></PRE> <P>should get you the same as what you appear to intend.</P> Thu, 24 May 2012 00:09:07 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59000#M14532 gkanapathy 2012-05-24T00:09:07Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59001#M14533 <P>The first search worked great, but the results scared me. Thanks for the help. I was definitely making it more complicated than I should have.</P> Fri, 25 May 2012 18:42:16 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59001#M14533 nelsonb 2012-05-25T18:42:16Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59002#M14534 <P>The one problem with doing the stat by source though is that it's only returning one result by source. Each source has several hundred occurences of these pairs of events happening. Is there some other way to sort the returns? I'm trying a few variations.</P> Fri, 25 May 2012 19:36:47 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59002#M14534 nelsonb 2012-05-25T19:36:47Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59003#M14535 <P>Okay, then you need to use the <CODE>transaction</CODE> command, which automatically calculates duration. Something like: </P> <PRE><CODE>index=collect host=app* "backgroundWorkLoad Completed" | transaction source startswith=("backgroundWorkLoad Completed NOT END") endswith=("backgroundworkerload Completed END") maxevents=2 | table source duration </CODE></PRE> <P>might work.</P> Fri, 25 May 2012 23:42:06 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59003#M14535 gkanapathy 2012-05-25T23:42:06Z https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59004#M14536 <P>This returned all the results I was looking for. Thanks!</P> Tue, 29 May 2012 17:53:35 GMT https://community.splunk.com/t5/Splunk-Search/Finding-the-time-difference-between-two-subsearches/m-p/59004#M14536 nelsonb 2012-05-29T17:53:35Z