Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract two values from two same fields in two events and then find the difference in timestamp

vanakkam777
New Member
‎08-15-2019 03:05 PM

Log data example:

{'job_no':'1','begin_build_time':'2019-08-15 11:00:00','event_type':'staging'}
{'job_no':'1','end_build_time':'2019-08-15 11:10:00','event_type':'staging'}
{'job_no':'1','begin_execution_time':'2019-08-15 11:10:01','event_type':'transaction'}
{'job_no':'1','end_execution_time':'2019-08-15 11:20:00','event_type':'transaction'}
{'job_no':'1','begin_artifact_time':'2019-08-15 11:20:01','event_type':'upload'}
{'job_no':'1','end_artifact_time':'2019-08-15 11:30:00','event_type':'upload'}

I need data table output like:
Job# 1 staging 10 mins transaction 10 mins upload 10 mins total 30 mins

Each line is coming as a event in Splunk.
I know we have to use coalesce and streamstats, but I am new to splunk not able to figure out how to get to this level.

Thanks in advance.

0 Karma
Reply

mayurr98
Super Champion
‎08-15-2019 04:22 PM

Try this run anywhere search

| makeresults 
| eval data="{'job_no':'1','begin_build_time':'2019-08-15 11:00:00','event_type':'staging'} | {'job_no':'1','end_build_time':'2019-08-15 11:10:00','event_type':'staging'}" 
| makemv data delim="|" 
| mvexpand data 
| table data 
| rex field="data" "'job_no':'(?<job_no>[^\']+)','(begin_build_time':'(?<begin_build_time>[^\']+)|end_build_time':'(?<end_build_time>[^\']+))','event_type':'(?<type>[^\']+)'"| eval begin_build_time=strptime(begin_build_time,"%Y-%m-%d %H:%M:%S"),end_build_time=strptime(end_build_time,"%Y-%m-%d %H:%M:%S") 
| stats values(begin_build_time) as begin_build_time values(end_build_time) as end_build_time by type job_no
| eval time_diff_in_min=round((end_build_time-begin_build_time)/60)

In your env, you should try

index=<your_index>
| rex field=_raw "'job_no':'(?<job_no>[^\']+)','(begin_build_time':'(?<begin_build_time>[^\']+)|end_build_time':'(?<end_build_time>[^\']+))','event_type':'(?<type>[^\']+)'"| eval begin_build_time=strptime(begin_build_time,"%Y-%m-%d %H:%M:%S"),end_build_time=strptime(end_build_time,"%Y-%m-%d %H:%M:%S") 
| stats values(begin_build_time) as begin_build_time values(end_build_time) as end_build_time by type job_no
| eval time_diff_in_min=round((end_build_time-begin_build_time)/60)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...