Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Calculate difference

AB24
Loves-to-Learn Everything
‎05-08-2023 11:39 PM
 
Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 12:12 AM

Try something like this

| where Device_Info == "Device Number" OR match(Device_Info,"\d+")
| streamstats count(eval(Device_Info=="Device Number")) as Inspection_Count
| stats values(eval(if(match(Device_Info, "\d+"),Device_Info,null()))) as Device_Info range(_time) as total_duration by Inspection_Count
| where total_duration > 0
| streamstats reset_on_change=t count as Inspection_Count by Device_Info
| eventstats sum(total_duration) as sum_duration by Device_Info
| eval total_duration = total_duration / 60
| eval sum_duration = sum_duration / 60
0 Karma
Reply

AB24
Loves-to-Learn Everything
‎05-09-2023 02:06 AM

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 02:13 AM

Remove the reset_on_change=t

0 Karma
Reply

AB24
Loves-to-Learn Everything
‎05-09-2023 02:40 AM

Some Device_Info are merging in the result instead of one device_info per row it is two device_info per row

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-09-2023 02:45 AM

Perhaps if you shared some of your real events and results and your SPL, we might be able to advise you further. Vague descriptions of the issue and fake data means we can only offer solutions based what you have provided, and to that extent, the solution provided does work (but only with the fake data you provided)!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...