Solved: Calculate Lag time between events - Splunk Community

Splunk Search

I am trying to calculate lag time but have the following issues:

_time is the same for each event as the data is indexed in chunks.

I am trying to take the highest result from field access-time and calculate the difference between the second highest result.

Something like |eval resultA - resultB. How do I get the 2 latest results from field access-time and calculate the difference

2020-11-13 08:18:37	1605254674
2020-11-13 08:18:37	1605254590
2020-11-13 08:18:37	1605253080
2020-11-13 08:18:37	1605252671
2020-11-13 08:18:37	1605251083
2020-11-13 08:18:37	1605250993
2020-11-13 08:18:37	1605249063
2020-11-13 08:18:37	1605247382
2020-11-13 08:18:37	1605245462
2020-11-13 08:18:37	1605243784
2020-11-13 08:18:37	1605241862
2020-11-13 08:18:37	1605240185
2020-11-13 08:18:37	1605238263
2020-11-13 08:18:37	1605236583
2020-11-13 08:18:37	1605234662
2020-11-13 08:18:37	1605232983
2020-11-13 08:18:37	1605231063
2020-11-13 08:18:37	1605229384
2020-11-13 08:18:37	1605227467
2020-11-13 08:18:37	1605225783
2020-11-13 08:18:37	1605223863
2020-11-13 08:18:37	1605222196
2020-11-13 08:18:37	1605220274
2020-11-13 08:18:37	1605218605
2020-11-13 08:18:37	1605216684
2020-11-13 08:18:37	1605214996

1 Solution

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

View solution in original post

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...