https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233693#M69431 <P><STRONG>OPTION 1 : Using stats command</STRONG><BR /> Best way to do is by Stats as it will run faster and give you control over inputs/outputs:</P> <PRE><CODE> Your base Search request_type="LeaveBidsRequest" | stats count(request_pid) as eventcount min(_time) as MinTime max(_time) as MaxTime by request_pid | search eventcount&gt;1 | eval Response_Time=(MaxTime-MinTime) | table request_pid Response_Time </CODE></PRE> <P><STRONG>OPTION 2 : Using transaction command</STRONG><BR /> You can also try transaction which is easier to write but should not be executed for longer duration resulting in several thousand event matches (which might result in slowness and orphaned records).</P> <PRE><CODE> Your base Search request_type="LeaveBidsRequest" | transaction request_pid | search eventcount&gt;1 | rename duration as Response_Time | table request_pid Response_Time </CODE></PRE> <P>PS: <BR /> 1) Response_Time is in seconds for both examples.<BR /> 2) Transaction Command computes eventcount and duration automatically (based on first and last events matched).<BR /> 3) Use of maxpause, maxspan, keeporphaned, keepevicted, startswith and endswith should be considered for transaction to run faster. Nevertheless Transaction is only suitable if you provide Key field in your search like reques_pid in your Use case. Otherwise stats should be used for scenarios like this.<BR /> 4) Another scenario in all Use Case would be to find orphaned records or eventcount=1, where no match for LeaveBidsRequest is found for duration&gt; defined SLA.</P> Tue, 29 Sep 2020 11:53:51 GMT niketn 2020-09-29T11:53:51Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233692#M69430 <P>I have a table as below. I need to calculate the time difference between the below two events.</P> <P>request_pid _time Milli_Sec request_type<BR /> 11600 2016-11-19 17:20:50 17.262275 LeaveBidsRequest<BR /> 11600 2016-11-19 17:20:51 17.803375 LeaveBidsRequest<BR /> 19243 2016-11-19 17:36:51 77.376436 LeaveBidsRequest<BR /> 19243 2016-11-19 17:36:53 78.502509 LeaveBidsRequest<BR /> 21012 2016-11-19 17:38:38 67.263722 LeaveBidsRequest<BR /> 21012 2016-11-19 17:38:38 67.678533 LeaveBidsRequest </P> <P>Sample output like<BR /> request_pid Response_Time<BR /> 11600 1.5411.</P> <P>Can someone help me?</P> Tue, 29 Sep 2020 11:50:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233692#M69430 premselvans 2020-09-29T11:50:49Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233693#M69431 <P><STRONG>OPTION 1 : Using stats command</STRONG><BR /> Best way to do is by Stats as it will run faster and give you control over inputs/outputs:</P> <PRE><CODE> Your base Search request_type="LeaveBidsRequest" | stats count(request_pid) as eventcount min(_time) as MinTime max(_time) as MaxTime by request_pid | search eventcount&gt;1 | eval Response_Time=(MaxTime-MinTime) | table request_pid Response_Time </CODE></PRE> <P><STRONG>OPTION 2 : Using transaction command</STRONG><BR /> You can also try transaction which is easier to write but should not be executed for longer duration resulting in several thousand event matches (which might result in slowness and orphaned records).</P> <PRE><CODE> Your base Search request_type="LeaveBidsRequest" | transaction request_pid | search eventcount&gt;1 | rename duration as Response_Time | table request_pid Response_Time </CODE></PRE> <P>PS: <BR /> 1) Response_Time is in seconds for both examples.<BR /> 2) Transaction Command computes eventcount and duration automatically (based on first and last events matched).<BR /> 3) Use of maxpause, maxspan, keeporphaned, keepevicted, startswith and endswith should be considered for transaction to run faster. Nevertheless Transaction is only suitable if you provide Key field in your search like reques_pid in your Use case. Otherwise stats should be used for scenarios like this.<BR /> 4) Another scenario in all Use Case would be to find orphaned records or eventcount=1, where no match for LeaveBidsRequest is found for duration&gt; defined SLA.</P> Tue, 29 Sep 2020 11:53:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233693#M69431 niketn 2020-09-29T11:53:51Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233694#M69432 <P>Hello niketnilay,</P> <P>Hope you are doing well.</P> <P>Thanks for the answer. I've tried transaction already. But it gives difference in seconds. </P> <P>I would like to subtract the time as below</P> <P>11600 <STRONG>2016-11-19 17:20:50 17.262275</STRONG> LeaveBidsRequest<BR /> 11600 <STRONG>2016-11-19 17:20:51 17.803375</STRONG> LeaveBidsRequest</P> <P>Response_Time=(2016-11-19 17:20:51 17.803375) - (2016-11-19 17:20:50 17.262275)</P> <P>Milli_Sec is stored as a separate field. </P> Sun, 20 Nov 2016 07:47:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233694#M69432 premselvans 2016-11-20T07:47:29Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233695#M69433 <P>I agree with @nikenilay that stats is the best way to go. But I think there is a much easier stats command to do what you want</P> <PRE><CODE> Your base Search request_type="LeaveBidsRequest" | stats range(_time) as Response_Time earliest(Milli_Sec) as ems latest(Milli_Sec) as lms by request_pid | eval Response_Time = Response_Time + lms - ems | fields - lms ems </CODE></PRE> <P>Hope this helps!</P> Sun, 20 Nov 2016 07:50:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-respose-time-between-two-events/m-p/233695#M69433 lguinn2 2016-11-20T07:50:41Z