Finding time difference between 2 events with different states

KaitoKozo — Wed, 03 Feb 2021 07:32:20 GMT

I am trying to find the time difference between 2 events with different states, in particular when the device turns on or off. However, I only have the field of status which shows that it's on (1) or off (0).

I made use of the delta function to derive whether the device is turning on (1), turning off (-1) or no change in state (0) as state as follows:
| delta status p=1 as switch_state

I would like to know the operation hours of the device (time difference between switch_state=-1 and switch_state=1) but am unsure how to do a comparison.

My previous attempt was to use the streamstats function to compute, however I could only compare between same states as follows:

| streamstats count(eval(switch_state=-1) AS startcount by asset
| stats range(_time) AS duration by startcount asset

Hoping to try to change the code or use a different method to compare between states -1 and 1 within the same field and then find the time difference between them.

Re: Finding time difference between 2 events with different states

tscroggins — Sun, 21 Feb 2021 06:04:14 GMT

@KaitoKozo

In simple scenarios with a relatively small number of events, the transaction command works well enough:

| transaction asset startswith=eval(switch_state==1) endswith=eval(switch_state==-1)
| table _time asset duration
| fieldformat duration=tostring(duration, "duration")

topic Re: Finding time difference between 2 events with different states in Splunk Search

Finding time difference between 2 events with different states

Re: Finding time difference between 2 events with different states