Splunk Search

Comparing different events timestamp

New Member


I have 2 events to compare, one always comes first and the second is the result of, I want to present the time it took to get the result.

In order to so that, every couple events as a common key(same key to the first and second), not every first event has a pair.
so right now i have this table:

First ``` second


``` ```2

(The ` is to present the columns - it's an empty cell).

I want to filter just the events that has a same key in the other column (1,5 in this example) and I couldn't do it so far.
Thank u in advance 🙂

0 Karma

Revered Legend

Whats your search to get the events of both type? Also, can you share some sample data for both type of events?
I believe something like this would work but can't say for sure without seeing your current search/data:

your base search to select both type of events, with a field called common_key
| stats max(_time) as Result min(_time) as Request by common_key
| where Result!=Request | rename COMMENT as "This means there are two events for the common_key"
| eval Duration=Result-Request | convert ctime(Result) ctime(Request)
0 Karma

New Member

Unfortunately, I don't have the key that easely, I calculate him from the url of the event, and for every event the caculation is different, it meens it looks something like that:
baseSearch | eval firsrCalc (thats returns null for second event) | eval secondCalc (that returns null for the first event) | table firstCalc, secondCalc.

I tried to name same eval to the calculations but it only took the second calc and "as" is not allowed there.

0 Karma

Revered Legend

In that case, you can calculate your common_key like this

baseSearch | eval firsrCalc=(thats returns null for second event) | eval secondCalc=(that returns null for the first event) | eval common_key=coalesce(firstCalc, secondCalc) |...
0 Karma
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...