Archive
Highlighted

Compute time difference between events

Path Finder

I have events like

Event EndDateTime
Launch 2017-05-16 13:00:00
.
.
.
Open 2017-05-16 13:00:30

I want to subtract time between these two events.

I want to implement something like

index="myindex" sourcetype="mysourcetype"  | transaction host startswith="Launch" endswith="Open"|convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime)| eval difference=[subtract EndDateTime where Event=Open - EndDateTime where Event=Launch| chart  avg(difference) 

I just can't understand how can I work with the eval part about calculating difference.

Tags (1)
Highlighted

Re: Compute time difference between events

SplunkTrust
SplunkTrust

The transaction command should already be giving you duration field, and it would be correct as long as your _time field was extracted based of values of EndDateTime field (both _time and EndDateTime values are same).

0 Karma
Highlighted

Re: Compute time difference between events

Path Finder

That's the thing. They are not.

0 Karma
Highlighted

Re: Compute time difference between events

SplunkTrust
SplunkTrust

looks like you are looking for the duration between events
the "duration" field is extracted with the transaction command
you can just | table duration after your transaction command and you can see the "difference in time"
hope i understand your question correctly

0 Karma
Highlighted

Re: Compute time difference between events

Path Finder

The _time and EndDateTime values are not same. duration won't work in that case. Also, I did try what you're telling before posting this question and there were differences in answers which makes sense as _time did not add the time taken by last event in duration.

0 Karma
Highlighted

Re: Compute time difference between events

Builder

You can try creating a TRANID manually and get the difference -

index="myindex" sourcetype="mysourcetype" "Launch" OR "Open" | eval TRANID=if(like(EVENT,"%Launch%"),1,0) | streamstats sum(TRANID) as TRANID | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime) | eval start_time=if(like(EVENT,"%Launch%"),EndDateTime,0)  | eval end_time=if(like(EVENT,"%Open%"),EndDateTime,0) | stats sum(start_time) as start_time,sum(end_time) as end_time by TRANID | eval diff=end_time=start_time 
0 Karma
Highlighted

Re: Compute time difference between events

Path Finder

Did not work! 😕

It says: Error in 'eval' command: Fields cannot be assigned a boolean result. Instead, try if([bool expr], [expr], [expr]).

0 Karma
Highlighted

Re: Compute time difference between events

Builder

My bad, in the last eval mistakenly gave "=" instead of "-"

 index="myindex" sourcetype="mysourcetype" "Launch" OR "Open" | eval TRANID=if(like(EVENT,"%Launch%"),1,0) | streamstats sum(TRANID) as TRANID | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(EndDateTime) | eval start_time=if(like(EVENT,"%Launch%"),EndDateTime,0)  | eval end_time=if(like(EVENT,"%Open%"),EndDateTime,0) | stats list(EVENT) as EVENTS,sum(start_time) as start_time,sum(end_time) as end_time by TRANID | eval diff=end_time-start_time 
0 Karma
Highlighted

Re: Compute time difference between events

Path Finder

It only returns all values TRANID, starttime, endtime and diff as '0'

0 Karma
Highlighted

Re: Compute time difference between events

Builder

Can you provide few sample data for a single transaction?

0 Karma