Splunk Search

Duration between events - Max gap (not the start and end points)

stephenreece
New Member

hi all .

I am trying to create a map where I can look at users max duration between logins who register with us between 2 fixed dates i.e. jan17-feb17.

So i have the following which is interesting but doesnt give the max length.

| dedup eventId
| stats count(_time) as appear_count, values(_time) as appear_dates max(_time) as last min(_time) as latest by customerNumber
| eval first_appear=strftime(first,"%d/%m/%Y")
| eval last_appear=strftime(last,"%d/%m/%Y")
| eval appear_dates=strftime(appear_dates,"%d/%m/%Y")
| eval duration=(last-latest)
| eval duration=round((last-first)/86400)
| where first<01/02/2019

For example i have a user that has used the service 400 times with a max break of about a week. So i needed the search to pick up the user where first appear = jan-feb2017 and then i need to know that this user has had at max a weeks break between accessing.

Does this make sense.

Its almost as if i need towrite the search to collect all users where first<28/02/2017.

- and then i need to eval each event in order and subtract the later from the earlier,.. so for someone who accessed the service 5 times it would be

USER ONE
first=22/02/2017
event 1 22/02/2017
event 2 25/02/2017 (diff between event 2-1 = 3days)
event 3 01/03/2017 (diff between event 3-2 = 4days)
event 4 09/03/2017 (diff between event 2-1 = 8days)
LAST event 5 10/03/2017 (diff between event 2-1 = 1day)

Therefore max duration between events = 8days

0 Karma

stephenreece
New Member

no... can't be this straight forward

| streamstats current=t window=2 range(_time) AS duration BY customerNumber
| stats min(duration) AS Min max(duration) AS Max avg(duration) AS Avg BY customerNumber

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yep. Write it up and accept it.

0 Karma

Richfez
SplunkTrust
SplunkTrust

That is about the answer I was going to suggest and should give you correct results.

If your testing shows it is (which is should be), why not write that up as your own answer, then mark it as accepted? It's perfectly acceptable to [at least occasionally] answer your own questions!

-Rich

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...