Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate time duration between 2 events

cbiraris
Path Finder
‎10-11-2023 08:06 AM

Hi Team,

Is there any way we can calculate time duration between 2 different events like start and end.

For example: we have start event at 10/10/23 23:50:00.031 PM, and End evet at 11/10/23
00:50:00.031 AM

 how can we calculate this. please help.

Thank you

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-11-2023 03:55 PM

@cbiraris 

there are a number of ways of doing this, but it depends on what you want to end up with. I am assuming that the event _time field denotes your time - if not, then parsing your time field using strptime() is needed first.

A couple of examples below showing you stats and streamstats usage.

Using stats you can collect your events together like this, assuming you have some kind of correlation ID that can group the events together.

| makeresults count=4
| streamstats c
| eval _time=now() - (c * 60) - (random() % 30)
| eval EventID="ID:".round(c / 2)
| fields - c
``` Calculate the gap ```
| stats range(_time) as r by EventID

If you have a number events a simple example of streamstats will just calculate the difference between two events like this, which generates 4 random timed events and calculates the difference between each pair

| makeresults count=4
| streamstats c
| eval _time=now() - (c * 60) - (random() % 30)
| fields - c
| eval Event=mvindex(split("Start,End",","),(c - 1) % 2)
``` Calculate the gap ```
| streamstats reset_after="Event=\"End\"" range(_time) as gap

 

0 Karma
Reply

cbiraris
Path Finder
‎10-13-2023 06:44 AM

Actually, I have 2 separate events start event one unique ID and few other fields for exampled = "Job initiated" 

if the events contains  "JOB initiated" , that means the evets is first event. and if the events contains "JOB Completed" that means the last event.

so, I want to calculate how much total time taken for that particular Job ID to complete ?


0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-17-2023 07:37 AM

Try something like this

index=bla "JOB Initiated" OR "JOB Completed"
``` If your ID is not already extracted, then extract it ```
| rex field=_raw "(?<id>your_regex_to_extract_id)"
| stats count as eventCount range(_time) as duration by ID

So this will assume 2 events per ID and the range(_time) will calculate duration.

You can always then check eventCount=2 to make sure you have seen both events.

 

0 Karma
Reply

etoombs
Path Finder
‎10-11-2023 08:29 AM

Hi. You can convert your time to epoch values and then subtract them. Here's an example:

| makeresults
| eval start="10/10/23 23:50:00.031 PM", end="11/10/23 00:50:00.031 AM PM"
| eval startepoch=strptime('start',"%m/%d/%y %H:%M:%S.%3N")
| eval endepoch=strptime('end',"%m/%d/%y %H:%M:%S.%3N")
| eval diff=endepoch-startepoch
| eval timediff=tostring(diff,"duration")
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...