https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587782#M204704 <P>hi, I'm finding how to calculate each time difference from near 2 events</P> <P>&nbsp;</P> <P>for example,</P> <P>if my search output is</P> <P>f1&nbsp; &nbsp; datetime</P> <P>A&nbsp; &nbsp; &nbsp;~~ 09:00</P> <P>A&nbsp; &nbsp; ~~ 10:00</P> <P>A&nbsp; &nbsp; ~~ 15:00</P> <P>B&nbsp; &nbsp; ~~ 06:00</P> <P>B&nbsp; &nbsp; ~~ 08:30</P> <P>&nbsp;</P> <P>I want a table like</P> <P>A 1:00</P> <P>A 5:00</P> <P>B 2:30</P> <P>&nbsp;</P> <P>I prefer to print it without making big temporary output table(for look-up or etc) if I can</P> <P>can I get some ideas?</P> Tue, 08 Mar 2022 04:13:28 GMT JSIrony 2022-03-08T04:13:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587782#M204704 <P>hi, I'm finding how to calculate each time difference from near 2 events</P> <P>&nbsp;</P> <P>for example,</P> <P>if my search output is</P> <P>f1&nbsp; &nbsp; datetime</P> <P>A&nbsp; &nbsp; &nbsp;~~ 09:00</P> <P>A&nbsp; &nbsp; ~~ 10:00</P> <P>A&nbsp; &nbsp; ~~ 15:00</P> <P>B&nbsp; &nbsp; ~~ 06:00</P> <P>B&nbsp; &nbsp; ~~ 08:30</P> <P>&nbsp;</P> <P>I want a table like</P> <P>A 1:00</P> <P>A 5:00</P> <P>B 2:30</P> <P>&nbsp;</P> <P>I prefer to print it without making big temporary output table(for look-up or etc) if I can</P> <P>can I get some ideas?</P> Tue, 08 Mar 2022 04:13:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587782#M204704 JSIrony 2022-03-08T04:13:28Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587785#M204706 <P>Are you looking for&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta#delta" target="_blank" rel="noopener">delta</A>?</P><LI-CODE lang="markup">| delta _time as timedelta</LI-CODE> Mon, 07 Mar 2022 03:17:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587785#M204706 yuanliu 2022-03-07T03:17:49Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587794#M204709 <P>thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>I considered about delta, but it can't be grouped by another field (like f1 in question i wrote)</P><P>&nbsp;</P><P>now I'm trying using streamstats-range-window=2 with time sorted table like this</P><P>| streamstats window=2 range(_time) by f1</P><P>&nbsp;</P><P>are there other better solutions?&nbsp;</P> Mon, 07 Mar 2022 04:27:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587794#M204709 JSIrony 2022-03-07T04:27:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587803#M204714 <P>If groupby is a requirement (not quite clear in OP), streamstats is the answer.</P> Mon, 07 Mar 2022 07:26:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587803#M204714 yuanliu 2022-03-07T07:26:34Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587815#M204720 <P>Assuming you have the times (_time) in epoch format</P><LI-CODE lang="markup">| streamstats range(_time) as timediff window=2 global=f by f1 | where timediff&gt;0 | eval timediff=tostring(timediff,"duration")</LI-CODE> Mon, 07 Mar 2022 09:59:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-time-interval-between-each-near-two-events/m-p/587815#M204720 ITWhisperer 2022-03-07T09:59:58Z