Solved: Calculate Lag time between events - Splunk Community

Splunk Search

I am trying to calculate lag time but have the following issues:

_time is the same for each event as the data is indexed in chunks.

I am trying to take the highest result from field access-time and calculate the difference between the second highest result.

Something like |eval resultA - resultB. How do I get the 2 latest results from field access-time and calculate the difference

2020-11-13 08:18:37	1605254674
2020-11-13 08:18:37	1605254590
2020-11-13 08:18:37	1605253080
2020-11-13 08:18:37	1605252671
2020-11-13 08:18:37	1605251083
2020-11-13 08:18:37	1605250993
2020-11-13 08:18:37	1605249063
2020-11-13 08:18:37	1605247382
2020-11-13 08:18:37	1605245462
2020-11-13 08:18:37	1605243784
2020-11-13 08:18:37	1605241862
2020-11-13 08:18:37	1605240185
2020-11-13 08:18:37	1605238263
2020-11-13 08:18:37	1605236583
2020-11-13 08:18:37	1605234662
2020-11-13 08:18:37	1605232983
2020-11-13 08:18:37	1605231063
2020-11-13 08:18:37	1605229384
2020-11-13 08:18:37	1605227467
2020-11-13 08:18:37	1605225783
2020-11-13 08:18:37	1605223863
2020-11-13 08:18:37	1605222196
2020-11-13 08:18:37	1605220274
2020-11-13 08:18:37	1605218605
2020-11-13 08:18:37	1605216684
2020-11-13 08:18:37	1605214996

1 Solution

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

View solution in original post

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...