time difference between two events.



I need to calucalte the time difference between two events in splunk..using the transaction command can i do that ..??

in my logs i have my own field called "TIMESTAMP" . Please help..

Tags (1)
0 Karma

Re: time difference between two events.


If you want to use transaction, create a transaction that starts with the first event and ends with the second. The transaction command will automatically create a field duration that holds the time different between the first and the last event in the transaction, so if you have Splunk configured to use "TIMESTAMP" as what it takes its own timestamp from, just getting the duration field will give you what you want.

View solution in original post