Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you compare timestamps from two rows?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you compare timestamps from two rows?
Hi all,
I have a requirement where i have to know if the transaction key is processed within 3 seconds. I need to compare two unique references and take the latest timestamp. For e.g., I have two unique references, "ABC1" and "ABC2", and both of them have multiple records in the logs. I have to take the first timestamp from ABC1 and ABC2, and it should be less than 3 seconds.
Can you all please give me some points which i can follow to complete this requirement?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you've searched for the relevant events, stats range(_time) as duration will tell you how much time was spanned by the events.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi richgalloway,
Thanks for the response.
I also need to compare the two records.
The search results in many rows. I use the search index= applicationet sourcetype=Rex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can use streamstats to find the difference in two events. But first make sure they are sorted properly i.e both the events are next to each other.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply. Can I also sort the logs based on the unique key?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can , best would be to show some sample rows/events for which you want to find the time difference.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I have below as my records as my search results. Highlighted ones are unique key. I want compare between the record 1 and 3 , 2 and 4 display the incremented count.
Record 1 null - 2019-02-01T12:55:58.270 - Quename- INL_TTI_01 - Inbound - Process - ABCODSC123245678:Record processed Successfully
Record 2 null - 2019-02-01T12:55:59.270 - Quename- INL_TTI_01 - Inbound - Process - ABCODSC123248888:Record processed Successfully
Record 3 null - 2019-02-01T12:55:58.777 - Quename- INL_TTI_01 - Outbound - Process - ABCODSC123245678:Record processed Successfully
Record 4 null - 2019-02-01T12:55:60.270 - Quename- INL_TTI_01 - Outbound - Process - ABCODSC123248888:Record processed Successfully
Record 5 null - 2019-02-01T12:55:62.270 - Quename- INL_TTI_01 - Outbound - Process - ABCODSC123245678:Record processed Successfully
.
.
.
.
.
n
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
