topic Re: How to calculate the difference between two timestamps to get the duration of a video call? in Splunk Search

How to calculate the difference between two timestamps to get the duration of a video call?

murat89 — Tue, 27 Feb 2018 20:18:21 GMT

Hi guys,

im a beginner in Splunk and my issue is that I have Cisco logs and I need to find out the conference duration but there is no field like duration so I have to make it through timestamps.
Below you can see that kind of log and I don't know how to get the timestamps and then calculate the difference between them, please help, im thankful for any idea.

Just a part of Cisco log:
2814 2018/01/22 09:56:39.008 APP Info conference "Terminal 1" created
2846 2018/01/22 12:01:30.213 APP Info conference "Terminal 1": deleted via API (no participants)

Re: How to calculate the difference between two timestamps to get the duration of a video call?

somesoni2 — Tue, 27 Feb 2018 20:46:51 GMT

Best (in terms of performance) is to use stats on a field (or group of fields), preferably a primary key which is common between both type of events (conference start and end) and can uniquely identify the conference. For example, if there is field call conference_id in your logs, you can do something like this

index=YourIndex sourcetype=YourCiscoSourcetype (conference created) OR (conference deleted)
| eval confStart=if(searchmatch("conference created"),"_time,null())
| eval confEnd=if(searchmatch("conference deleted"),"_time,null())
| stats values(confStart) as confStart values(confEnd) as confEnd by conference_id
| eval "duration(in secs)"=confEnd-confStart

Re: How to calculate the difference between two timestamps to get the duration of a video call?

murat89 — Wed, 28 Feb 2018 10:43:45 GMT

Thank you, great solution, i really appreciate that. Unfortunately there is no conference_id but we do have the conference name, here it is "Terminal 1". How to do with that?

Re: How to calculate the difference between two timestamps to get the duration of a video call?

starcher — Tue, 29 Sep 2020 18:17:50 GMT

Extract the data where the name is to a field called conference_name and change out the by conference_id.

Re: How to calculate the difference between two timestamps to get the duration of a video call?

niketn — Sun, 04 Mar 2018 18:49:25 GMT

@murat89, based on the sample data provided please try the following run anywhere search.

PS: First 5 pipes from makeresults to rename are used to generate the mock data. Also while I have extracted _time using rex, you might need the rex command from APP Info conference onward as your data will have timestamp extracted already.

| makeresults
| eval data="2814 2018/01/22 09:56:39.008 APP Info conference \"Terminal 1\" created;2846 2018/01/22 12:01:30.213 APP Info conference \"Terminal 1\": deleted via API (no participants)"
| makemv data delim=";" 
| mvexpand data
| rename data as _raw
| rex "\d{4}\s(?<_time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}.\d{3})\sAPP Info conference\s\"(?<id>[^\"]+)\"(\s|\:)+(?<status>\w+)"
| eval _time=strptime(_time,"%Y/%m/%d %H:%M:%S.%3N")
| stats first(_time) as _time last(_time) as EndTime values(status) as status by id
| search status=created AND status=deleted
| eval duration=EndTime-_time
| fields - EndTime

Re: How to calculate the difference between two timestamps to get the duration of a video call?

murat89 — Sun, 04 Mar 2018 23:24:05 GMT

I have never created a field in Splunk, I know how to create an event type, a field seems little different to me.