https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91744#M23679 <P>I have log entries looking as follows:</P> <PRE><CODE>Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993; Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824; Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255; Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120; </CODE></PRE> <P>I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E</P> <P>I have following search:</P> <PRE><CODE>host = psdkxt05 MID=XXX004E OR MID=XXX005I | EVAL PRC=SUBSTR(MID,1,3) | EVAL ERR=SUBSTR(MID,5,3) | SORT -_time | delta _time as diff | EVAL Outage(Minutes)=ROUND(diff/-60) | TABLE PRC ERR Outage(Minutes) _time </CODE></PRE> <P>This gives following result:</P> <PRE><CODE> 1. 1 11/16/10 8:37:47.000 AM XXX 05I 2. 2 11/16/10 8:33:08.000 AM XXX 04E 5 3. 3 11/16/10 8:07:44.000 AM XXX 05I 25 4. 4 11/16/10 8:03:03.000 AM XXX 04E 5 </CODE></PRE> <P>How do I avoid the calculation in line 3?</P> Thu, 18 Nov 2010 18:33:37 GMT JYTTEJ 2010-11-18T18:33:37Z https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91744#M23679 <P>I have log entries looking as follows:</P> <PRE><CODE>Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993; Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824; Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255; Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120; </CODE></PRE> <P>I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E</P> <P>I have following search:</P> <PRE><CODE>host = psdkxt05 MID=XXX004E OR MID=XXX005I | EVAL PRC=SUBSTR(MID,1,3) | EVAL ERR=SUBSTR(MID,5,3) | SORT -_time | delta _time as diff | EVAL Outage(Minutes)=ROUND(diff/-60) | TABLE PRC ERR Outage(Minutes) _time </CODE></PRE> <P>This gives following result:</P> <PRE><CODE> 1. 1 11/16/10 8:37:47.000 AM XXX 05I 2. 2 11/16/10 8:33:08.000 AM XXX 04E 5 3. 3 11/16/10 8:07:44.000 AM XXX 05I 25 4. 4 11/16/10 8:03:03.000 AM XXX 04E 5 </CODE></PRE> <P>How do I avoid the calculation in line 3?</P> Thu, 18 Nov 2010 18:33:37 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91744#M23679 JYTTEJ 2010-11-18T18:33:37Z https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91745#M23680 <P>This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:</P> <PRE><CODE>host=psdkxt05 MID=XXX004E OR MID=XXX005 | transaction beginswith=XXX004E endswith=XXX005I | EVAL PRC=SUBSTR(MID,1,3) | EVAL ERR=SUBSTR(MID,5,3) | EVAL Outage(Minutes)=duration/60 | TABLE PRC ERR Outage(Minutes) _time </CODE></PRE> <P>See <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction</A> for more details.</P> Thu, 18 Nov 2010 20:23:28 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91745#M23680 dwaddle 2010-11-18T20:23:28Z https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91746#M23681 <P>THANK YOU!I did try the transaction before asking the question. But could not make it work- but it does now with your help :-). Thank you so much. (I am quite new in the SPLUNK world...)</P> Thu, 18 Nov 2010 21:43:15 GMT https://community.splunk.com/t5/Splunk-Search/Calculate-time-between-two-different-events/m-p/91746#M23681 JYTTEJ 2010-11-18T21:43:15Z