topic Re: Comparing an incidents event timestamp to Splunk landing timestamp in Splunk Search

Comparing an incidents event timestamp to Splunk landing timestamp

auzark — Tue, 23 Apr 2024 10:41:33 GMT

I would like some help creating a report that will show the seconds diff between my event timestamp and the Splunk landing timestamp.

I have the below query which will give me the diff between _indextime and _time but I would also like the seconds difference between GenerationTime (ie...2024-04-23 12:49:52) and _indextime.

index=splunk_index sourcetype=splunk_sourcetype
| eval tnow = now() | convert ctime(tnow)
| convert ctime(_indextime) as Index_Time
| eval secondsDifference=_indextime-_time
| table Node EventNumber GenerationTime Index_Time, _time, secondsDifference

Re: Comparing an incidents event timestamp to Splunk landing timestamp

richgalloway — Tue, 23 Apr 2024 12:04:55 GMT

Convert GenerationTime into epoch format, then take the difference between the result and _indextime.

index=splunk_index sourcetype=splunk_sourcetype | eval tnow = now() | convert ctime(tnow) | convert ctime(_indextime) as Index_Time | eval secondsDifference=_indextime-_time | eval genEpoch = strptime(GenerationTime, "%Y-%m-%d %H:%M:%S") | eval genSecondsDifference = _indextime - genEpoch | table Node EventNumber GenerationTime Index_Time, _time, secondsDifference, genSecondsDifference

Re: Comparing an incidents event timestamp to Splunk landing timestamp

tej57 — Tue, 23 Apr 2024 12:15:14 GMT

Hello @auzark ,

You can assign a particular field to _indextime and then use that to find the difference. The only catch here would be that _indextime would be in epoch time and hence, you'll have to convert the GenerationTime into epoch format before calculating the difference. Your query should look something like below:

index=splunk_index sourcetype=splunk_sourcetype | eval tnow = now() | eval indexTime = _indextime | eval GenerationTime_epoch=strptime(GenerationTime,"%Y-%m-%d %H"%M:%S") | convert ctime(tnow) | convert ctime(_indextime) as Index_Time | eval secondsDifference=indexTime-_time | eval GenTimeDifferenceInSeconds = GenerationTime_epoch-indexTime | table Node EventNumber GenerationTime Index_Time, _time, secondsDifference,GenTimeDifferenceInSeconds

Thanks,
Tejas.

---
If the above solution helps, an upvote is appreciated!!

Re: Comparing an incidents event timestamp to Splunk landing timestamp

auzark — Wed, 24 Apr 2024 02:47:34 GMT

Thanks, Tejas and Rich... Very much appreciated.

Re: Comparing an incidents event timestamp to Splunk landing timestamp

auzark — Mon, 29 Apr 2024 06:44:39 GMT

Hi Rich,

How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days?

Re: Comparing an incidents event timestamp to Splunk landing timestamp

auzark — Mon, 29 Apr 2024 06:50:23 GMT

How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days?