The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).
| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start
| stats first(_time) as start last(_time) as end by orderid
How do you know which event is the end of the process?
@ITWhisperer I think I run into the issue you hinted at when you asked me how do I know the end. I am getting negative durations (meaning end is before start)...
How should I use this host field to tell Splunk that the time for this event is to be considered last (or first depending on the host) ?
The issue is that the order the events are normally processed (without a sort) is most recent to least recent, so first is actually most recent i.e. latest event so you probably need to name them differently. That's why I said subtract the lower number from the larger number. You could also capture the last host (first found).
| stats first(_time) as end last(_time) as start first(host) as finalhost by orderid
| eval duration=end-start
Ok thanks @ITWhisperer I now have a report with 3 columns :
orderid start end
Which command can I best use to subtract start from end ?
The minus sign does not work.
Subtract also not..
A link to the documentation is also welcome .
depending on the ordering of the events you may find that start is a bigger number than end - you need to subtract the smaller number from the larger to get the time difference in seconds
Thanks I will try this out.
The last step of the process is in another system, so I can use the host field (I hope) to now the last _time