Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How calculate the delta between the timestamp in one row with the timestamp in the previous row for all results?

Brigno
New Member
‎02-23-2016 04:52 AM

Hi,

In my search result, I have a series of events. I am able to calculate the delta of the various _time timestamps between each event, but how can I calculate the delta dividing the result in pairs? For example, I have 6 timestamps:

1 - 22/02/16 14:50:00.000
2 - 22/02/16 14:50:30.000
3 - 22/02/16 14:50:38.000
4 - 22/02/16 14:50:59.000
5 - 22/02/16 14:53:06.000
6 - 22/02/16 14:54:00.000
...

I need the delta between line 1 and line 2, then between line 3 and line 4, and so on for the entire result. Someone knows how to do something like this?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-03-2018 11:24 PM

Like this:

Your Base Search Here
| streamstats count AS serial
| eval copy_time=if(serial%2==1, _time, null())
| streamstats current=f last(copy_time) AS last_time
| eval delta = if(isnull(copy_time), tostring(last_time - _time, "duration"), null())
0 Karma
Reply

Stevelim
Communicator
‎02-23-2016 08:34 AM

Have you considered the Delta command?

[your search] | delta _time as OnSince  | eval OnSince = tostring (OnSince, "duration")
0 Karma
Reply

Brigno
New Member
‎02-23-2016 12:47 PM

Yes, I do. I know it, but it's not what I'm looking for. That command make a delta between line 1-2, 2-3, 3-4. 4-5 and so on, but what I really need is a delta between lines 1-2, 3-4, 5-6 etc.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...