Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the time difference between values in the same field

raby1996
Path Finder
‎01-25-2016 01:32 PM

Hi all,
I have a field that i am calling "code_load_date" and I am running a stats command that groups them by associated serial number and code level, so essentially the events look like this-

Serial            Code                 code_load_date
8k12              1.1                     1/01/15
--------------------------------------------------------------------         
8k13              1.2                     01/01/15
                  1.3                     01/11/15
                  1.4                     01/22/15
--------------------------------------------------------------------
8k14              1.2                     01/01/15
                  1.3                     01/15/15

and essentially I want to find the difference in the days between each date (code_load_date) that code was loaded onto a machine (serial) between each new code level so my desired results would look something like this-

    Serial            Code                 code_load_date          time_difference
    8k12              1.1                     1/01/15                       0
    ---------------------------------         
    8k13              1.2                     01/01/15                      10
                      1.3                     01/11/15                      11
                      1.4                     01/22/15
    --------------------------------
    8k14              1.2                     01/01/15                      14
                      1.3                     01/15/15

Is there any way that this can be achieved? Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-25-2016 01:49 PM

I'm guessing your query looks like this

your search before stats | stats values(Code) as Code values(code_load_date) as code_load_date by Serial

Try something like this

your search before stats | sort Serial code_load_date | streamstats current=f window=1 values(code_load_date) as prev by Serial | eval time_diff=round(strptime(code_load_date,"%m/%d/%y")-strptime(prev,"%m/%d/%y"))/86400)  | stats values(Code) as Code values(code_load_date) as code_load_date values(time_difference) as time_difference by Serial | fillnull value=0 time_difference

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-25-2016 01:49 PM

I'm guessing your query looks like this

your search before stats | stats values(Code) as Code values(code_load_date) as code_load_date by Serial

Try something like this

your search before stats | sort Serial code_load_date | streamstats current=f window=1 values(code_load_date) as prev by Serial | eval time_diff=round(strptime(code_load_date,"%m/%d/%y")-strptime(prev,"%m/%d/%y"))/86400)  | stats values(Code) as Code values(code_load_date) as code_load_date values(time_difference) as time_difference by Serial | fillnull value=0 time_difference
Reply
Solved! Jump to solution

raby1996
Path Finder
‎01-25-2016 02:13 PM

It worked! Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...