Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Calculate time between two different events

JYTTEJ
Communicator
‎11-18-2010 10:33 AM

I have log entries looking as follows:

Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47,993;

Nov 16 08:33:08 psdkxt05 MID=xxx004E;XID=;SID=;UID=;STM=2010-11-16 08:33:08,824;

Nov 16 08:07:44 psdkxt05 MID=XXX005I;XID=;SID=;UID=;STM=2010-11-16 08:07:44,255;

Nov 16 08:03:03 psdkxt05 MID=XXX004E;XID=;SID=;UID=;STM=2010-11-16 08:03:03,120;

I have to calculate the time between 004E and 005I - but I do NOT want the calculation between 005I and 004E

I have following search:

host = psdkxt05 MID=XXX004E OR MID=XXX005I 
| EVAL PRC=SUBSTR(MID,1,3)
| EVAL ERR=SUBSTR(MID,5,3)
| SORT -_time
| delta _time as diff
| EVAL Outage(Minutes)=ROUND(diff/-60) 
| TABLE PRC ERR Outage(Minutes) _time

This gives following result:

 1. 1   11/16/10 8:37:47.000 AM XXX 05I
 2. 2   11/16/10 8:33:08.000 AM XXX 04E 5
 3. 3   11/16/10 8:07:44.000 AM XXX 05I 25
 4. 4   11/16/10 8:03:03.000 AM XXX    04E  5

How do I avoid the calculation in line 3?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎11-18-2010 12:23 PM

This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:

host=psdkxt05 MID=XXX004E OR MID=XXX005 | 
transaction beginswith=XXX004E endswith=XXX005I |
EVAL PRC=SUBSTR(MID,1,3) |
EVAL ERR=SUBSTR(MID,5,3) |
EVAL Outage(Minutes)=duration/60 |
TABLE PRC ERR Outage(Minutes) _time

See http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction for more details.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎11-18-2010 12:23 PM

This looks like a good opportunity for "... | transaction ...". When you build a transaction, it will automatically compute a "duration" field for that transaction that is the number of seconds from the beginning to end. I don't fully understand your data, but something like this might work:

host=psdkxt05 MID=XXX004E OR MID=XXX005 | 
transaction beginswith=XXX004E endswith=XXX005I |
EVAL PRC=SUBSTR(MID,1,3) |
EVAL ERR=SUBSTR(MID,5,3) |
EVAL Outage(Minutes)=duration/60 |
TABLE PRC ERR Outage(Minutes) _time

See http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction for more details.

Reply
Solved! Jump to solution

JYTTEJ
Communicator
‎11-18-2010 01:43 PM

THANK YOU!I did try the transaction before asking the question. But could not make it work- but it does now with your help :-). Thank you so much. (I am quite new in the SPLUNK world...)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...