Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To Compare Dates Between Two Different Sourcetypes

ebruozys
Path Finder
‎11-20-2017 06:39 AM

I want to calculate how long it takes until a event from one sourcetype switches to another sourcetype. For example event with ID 12345 enters sourcetype "start" on 2017-10-17 on 2017-10-30 it disapears from sourcetype 'start' and enters sourcetype "second_stage". I want to know how many days it took for to go to the second stage.

So far I have tried the following command
(index="test" source="start") OR (index="test" source="second_stage") ID=12345 | eval Start_Date=strptime(STARTDATE, "%Y-%m-%d %H:%M:%S."%N") | eval SecondStage_Date=strptime(SECONDSTAGEDATE,"%Y-%m-%d %H:%M:%S.%N") | eval Duration=floor((SecondStage_Date-Start_Date)/86400)

On execution of the search the field Duration stays empty. I asume that somehow I need to combine the Start_Date and SecondStage_Date to the ID, but I have no idea how to do that.

Does anybody else know how to do that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 07:29 AM

Hi ebruozys,
try something like this

(index="test" source="start") OR (index="test" source="second_stage") ID=12345
| stats earliest(STARTDATE) AS STARTDATE earliest(SECONDSTAGEDATE) AS SECONDSTAGEDATE
| eval 
     Start_Date=strptime(STARTDATE, "%Y-%m-%d %H:%M:%S."%N"),
     SecondStage_Date=strptime(SECONDSTAGEDATE,"%Y-%m-%d %H:%M:%S.%N"),
     Duration=floor((SecondStage_Date-Start_Date)/86400)
| table STARTDATE SECONDSTAGEDATE Duration

I prefer to use tostring funtion to show durations, in other words replace last eval with Duration=tostring(SecondStage_Date-Start_Date,"duration")
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-20-2017 08:43 AM

@ebruozys, can you add the background of what is the process for your use case? Why and how do you get sourcetype of an event changed to a new one and purged from the original?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 07:29 AM

Hi ebruozys,
try something like this

(index="test" source="start") OR (index="test" source="second_stage") ID=12345
| stats earliest(STARTDATE) AS STARTDATE earliest(SECONDSTAGEDATE) AS SECONDSTAGEDATE
| eval 
     Start_Date=strptime(STARTDATE, "%Y-%m-%d %H:%M:%S."%N"),
     SecondStage_Date=strptime(SECONDSTAGEDATE,"%Y-%m-%d %H:%M:%S.%N"),
     Duration=floor((SecondStage_Date-Start_Date)/86400)
| table STARTDATE SECONDSTAGEDATE Duration

I prefer to use tostring funtion to show durations, in other words replace last eval with Duration=tostring(SecondStage_Date-Start_Date,"duration")
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

ebruozys
Path Finder
‎11-22-2017 12:35 AM

Hi Giuseppe,

Thank you for your response.

I realise my original question wasn't complete.

What if I want to get a list of multiple ID's?
Sow imagine I dont have a specific ID, I just want to get a list of ID's and the Duration per ID of how long it took for it to reach the second stage. I tried adding a 'chart count by duration', but all I seem to get is a count of total duration.

Greetings,
Evald

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-22-2017 04:14 AM

Hi ebruozys,
if you have multiple IDs insert this clause in stats command

(index="test" source="start") OR (index="test" source="second_stage")
 | stats earliest(STARTDATE) AS STARTDATE earliest(SECONDSTAGEDATE) AS SECONDSTAGEDATE BY ID
 | eval 
      Start_Date=strptime(STARTDATE, "%Y-%m-%d %H:%M:%S."%N"),
      SecondStage_Date=strptime(SECONDSTAGEDATE,"%Y-%m-%d %H:%M:%S.%N"),
      Duration=floor((SecondStage_Date-Start_Date)/86400)
 | table ID STARTDATE SECONDSTAGEDATE Duration

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎11-20-2017 07:03 AM

Hi,

If you want to calculate difference by ID then you can try below query

(index="test" source="start") OR (index="test" source="second_stage") ID=12345 | eval Start_Date=strptime(STARTDATE, "%Y-%m-%d %H:%M:%S."%N") | eval SecondStage_Date=strptime(SECONDSTAGEDATE,"%Y-%m-%d %H:%M:%S.%N") | stats values(eval(floor((SecondStage_Date-Start_Date)/86400))) AS Duration by ID

Can you please let us know how your timestamp looks like in STARTDATE and SECONDSTAGEDATE field?

EDIT: Updated query

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...