Solved: Calculate Lag time between events - Splunk Community

Splunk Search

I am trying to calculate lag time but have the following issues:

_time is the same for each event as the data is indexed in chunks.

I am trying to take the highest result from field access-time and calculate the difference between the second highest result.

Something like |eval resultA - resultB. How do I get the 2 latest results from field access-time and calculate the difference

2020-11-13 08:18:37	1605254674
2020-11-13 08:18:37	1605254590
2020-11-13 08:18:37	1605253080
2020-11-13 08:18:37	1605252671
2020-11-13 08:18:37	1605251083
2020-11-13 08:18:37	1605250993
2020-11-13 08:18:37	1605249063
2020-11-13 08:18:37	1605247382
2020-11-13 08:18:37	1605245462
2020-11-13 08:18:37	1605243784
2020-11-13 08:18:37	1605241862
2020-11-13 08:18:37	1605240185
2020-11-13 08:18:37	1605238263
2020-11-13 08:18:37	1605236583
2020-11-13 08:18:37	1605234662
2020-11-13 08:18:37	1605232983
2020-11-13 08:18:37	1605231063
2020-11-13 08:18:37	1605229384
2020-11-13 08:18:37	1605227467
2020-11-13 08:18:37	1605225783
2020-11-13 08:18:37	1605223863
2020-11-13 08:18:37	1605222196
2020-11-13 08:18:37	1605220274
2020-11-13 08:18:37	1605218605
2020-11-13 08:18:37	1605216684
2020-11-13 08:18:37	1605214996

1 Solution

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

View solution in original post

Solution

| autoregress field1 as previous1 p=1
| eval diff=field1-previous1

Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...