https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295199#M174713 <P>So I basically did this and got what I wanted:</P> <P>transaction host startswith="Launch" endswith="Open" | streamstats sum(TimeSec) as dur window=1 |</P> <P>Thank you for your support. I had been such a stupid to not observe this earlier.</P> Thu, 18 May 2017 13:50:43 GMT pranaynanda 2017-05-18T13:50:43Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295185#M174699 <P>I have events like</P> <P>Event EndDateTime<BR /> Launch 2017-05-16 13:00:00<BR /> .<BR /> .<BR /> .<BR /> Open 2017-05-16 13:00:30</P> <P>I want to subtract time between these two events. </P> <P>I want to implement something like</P> <PRE><CODE>index="myindex" sourcetype="mysourcetype" | transaction host startswith="Launch" endswith="Open"|convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime)| eval difference=[subtract EndDateTime where Event=Open - EndDateTime where Event=Launch| chart avg(difference) </CODE></PRE> <P>I just can't understand how can I work with the eval part about calculating difference. </P> Tue, 16 May 2017 07:44:16 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295185#M174699 pranaynanda 2017-05-16T07:44:16Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295186#M174700 <P>The transaction command should already be giving you duration field, and it would be correct as long as your _time field was extracted based of values of EndDateTime field (both _time and EndDateTime values are same).</P> Tue, 16 May 2017 18:20:56 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295186#M174700 somesoni2 2017-05-16T18:20:56Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295187#M174701 <P>looks like you are looking for the duration between events <BR /> the "duration" field is extracted with the transaction command<BR /> you can just | table duration after your transaction command and you can see the "difference in time"<BR /> hope i understand your question correctly</P> Tue, 16 May 2017 18:21:51 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295187#M174701 adonio 2017-05-16T18:21:51Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295188#M174702 <P>That's the thing. They are not.</P> Wed, 17 May 2017 06:39:40 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295188#M174702 pranaynanda 2017-05-17T06:39:40Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295189#M174703 <P>The _time and EndDateTime values are not same. duration won't work in that case. Also, I did try what you're telling before posting this question and there were differences in answers which makes sense as _time did not add the time taken by last event in duration.</P> Wed, 17 May 2017 06:40:22 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295189#M174703 pranaynanda 2017-05-17T06:40:22Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295190#M174704 <P>You can try creating a TRANID manually and get the difference -</P> <PRE><CODE>index="myindex" sourcetype="mysourcetype" "Launch" OR "Open" | eval TRANID=if(like(EVENT,"%Launch%"),1,0) | streamstats sum(TRANID) as TRANID | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime) | eval start_time=if(like(EVENT,"%Launch%"),EndDateTime,0) | eval end_time=if(like(EVENT,"%Open%"),EndDateTime,0) | stats sum(start_time) as start_time,sum(end_time) as end_time by TRANID | eval diff=end_time=start_time </CODE></PRE> Wed, 17 May 2017 07:50:24 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295190#M174704 dineshraj9 2017-05-17T07:50:24Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295191#M174705 <P>Did not work! <span class="lia-unicode-emoji" title=":confused_face:">😕</span> </P> <P>It says: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]). </P> Thu, 18 May 2017 10:07:18 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295191#M174705 pranaynanda 2017-05-18T10:07:18Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295192#M174706 <P>My bad, in the last eval mistakenly gave "=" instead of "-"</P> <PRE><CODE> index="myindex" sourcetype="mysourcetype" "Launch" OR "Open" | eval TRANID=if(like(EVENT,"%Launch%"),1,0) | streamstats sum(TRANID) as TRANID | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime) | eval start_time=if(like(EVENT,"%Launch%"),EndDateTime,0) | eval end_time=if(like(EVENT,"%Open%"),EndDateTime,0) | stats list(EVENT) as EVENTS,sum(start_time) as start_time,sum(end_time) as end_time by TRANID | eval diff=end_time-start_time </CODE></PRE> Thu, 18 May 2017 10:23:20 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295192#M174706 dineshraj9 2017-05-18T10:23:20Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295193#M174707 <P>It only returns all values TRANID, start_time, end_time and diff as '0'</P> Tue, 29 Sep 2020 14:07:59 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295193#M174707 pranaynanda 2020-09-29T14:07:59Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295194#M174708 <P>Can you provide few sample data for a single transaction?</P> Thu, 18 May 2017 10:42:36 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295194#M174708 dineshraj9 2017-05-18T10:42:36Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295195#M174709 <H2>Test Name Start Date Start Time Time Interval Stop Date/Time Start Time(ms) Stop Time(ms) Run Time(min) Run Time(sec) Run Time(ms)</H2> <P>Launch 5/18/2017 14:00:37 14 5/18/2017 14:01 2.98235E+11 2.98331E+11 0.51 30.87 30865.67<BR /> Login 5/18/2017 14:01:34 14 5/18/2017 14:03 2.98401E+11 2.98741E+11 1.74 104.41 104412.77<BR /> Search 5/18/2017 14:04:08 14 5/18/2017 14:04 2.98854E+11 2.98884E+11 0.17 10.24 10244.62<BR /> CheckOut 5/18/2017 14:04:48 14 5/18/2017 14:04 2.98969E+11 2.98977E+11 0.05 2.71 2713.89<BR /> Expand 5/18/2017 14:06:47 14 5/18/2017 14:07 2.99316E+11 2.99476E+11 0.92 54.97 54971.75<BR /> LaunchApp 5/18/2017 14:08:36 14 5/18/2017 14:20 2.99636E+11 3.01742E+11 12.01 720.87 720872.82<BR /> Open 5/18/2017 14:21:32 14 5/18/2017 14:31 3.01903E+11 3.03665E+11 10.05 603.24 603235.27</P> <P>The Stop Date/Time column is extracted in Splunk as EndDateTime.</P> Thu, 18 May 2017 11:06:19 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295195#M174709 pranaynanda 2017-05-18T11:06:19Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295196#M174710 <P>I tested with your data this way and it is working for me this way -</P> <PRE><CODE> basesearch | rename "Stop Date/Time" as EndDateTime,"Test Name" as EVENT | eval EndDateTime=round(strptime(EndDateTime,"%m/%d/%Y %H:%M")) | eval TRANID=if(like(EVENT,"Launch"),1,0) | streamstats sum(TRANID) as TRANID | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime) | eval start_time=if(like(EVENT,"Launch"),EndDateTime,0) | eval end_time=if(like(EVENT,"Open"),EndDateTime,0) | stats list(EVENT) as EVENTS,sum(start_time) as start_time,sum(end_time) as end_time by TRANID | eval diff=end_time-start_time </CODE></PRE> Thu, 18 May 2017 12:03:03 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295196#M174710 dineshraj9 2017-05-18T12:03:03Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295197#M174711 <P>Thanks for your support. I just relaized that when I have the RunTime in seconds for each event, I can also get a sum of all of them by each Transaction. The thing is that sum(TimeSec) add all of them where I want it by transaction.</P> Thu, 18 May 2017 13:18:27 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295197#M174711 pranaynanda 2017-05-18T13:18:27Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295198#M174712 <P>O I basically did this and got what I wanted:</P> <P>transaction host startswith="Launch" endswith="Open" | streamstats sum(TimeSec) as dur window=1 |</P> <P>Thank you for your support. I had been such a stupid to not observe this earlier.</P> Thu, 18 May 2017 13:50:43 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295198#M174712 pranaynanda 2017-05-18T13:50:43Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295199#M174713 <P>So I basically did this and got what I wanted:</P> <P>transaction host startswith="Launch" endswith="Open" | streamstats sum(TimeSec) as dur window=1 |</P> <P>Thank you for your support. I had been such a stupid to not observe this earlier.</P> Thu, 18 May 2017 13:50:43 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295199#M174713 pranaynanda 2017-05-18T13:50:43Z https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295200#M174714 <P>@pranaynanda - I've converted your comment to an answer. Thanks for posting it. </P> <P>Please accept your answer so the question will show as closed.</P> Thu, 18 May 2017 14:34:38 GMT https://community.splunk.com/t5/Splunk-Search/Compute-time-difference-between-events/m-p/295200#M174714 DalJeanis 2017-05-18T14:34:38Z