Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Duration of two events by status!

reschal
Explorer
‎11-27-2017 06:11 AM

hi,
my raw data look like this:

12:01:11:000 ip: "123.456.789" = "1"
12:01:12:000 ip: "123.456.789" = "1"
12:01:13:000 ip: "123.456.789" = "1"
12:01:14:000 ip: "123.456.789" = "2"
12:01:15:000 ip: "123.456.789" = "2"
12:01:16:000 ip: "123.456.789" = "1"
12:01:17:000 ip: "123.456.789" = "1"

Now i want to calculate the duration only between the first event of "1" and "2". In other words, the duration when the ip shows the status "1". I tried some transaction and streamstats commands but nothing worked properly.

Thanks for your help!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

damien_chillet
Builder
‎11-27-2017 07:46 AM

You could try with the transaction command:

index=<your_index> sourcetype=<your_sourcetype>
| transaction ip endswith=value=2
| eval keep=mvfilter(match(value, "1"))
| where keep=1

Assuming you are extracting the ip under field "ip" and values 1/2 under field "value"

View solution in original post

Reply
Solved! Jump to solution

lycollicott
Motivator
‎11-27-2017 12:00 PM

(I loaded your sample data into my test box then I did a field extraction for the IP and another for CODE.)

index=main sourcetype=reschal2 | sort _time
| table _time, CODE
| streamstats range(_time) as DURATION by CODE reset_on_change=true

Those commands will show you how long it was "1", then "2" then "1" again.

Here are some screenshots....

alt text

Reply
Solved! Jump to solution

lycollicott
Motivator
‎11-27-2017 12:22 PM

Don't know why the screenshot isn't displaying and the site won't let me upload another. 😞

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-27-2017 12:51 PM

I would change | sort _time to | sort 0 _time in order to avoid it to be truncated after 10K rows (default limit).

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-27-2017 08:14 AM

You can probably do this by using reverse and dedup command. Are both ip and status an extracted fields? If yes, something like this would work.

your base search | reverse | dedup ip status | stats range(_time) by ip
0 Karma
Reply
Solved! Jump to solution
Solution

damien_chillet
Builder
‎11-27-2017 07:46 AM

You could try with the transaction command:

index=<your_index> sourcetype=<your_sourcetype>
| transaction ip endswith=value=2
| eval keep=mvfilter(match(value, "1"))
| where keep=1

Assuming you are extracting the ip under field "ip" and values 1/2 under field "value"

Reply
Solved! Jump to solution

reschal
Explorer
‎11-28-2017 12:14 AM

Thank you. Your answer works great. By adding

|table _time duration |eval duration=tostring(duration,"duration")| sort -_time

i get a proper solution!

0 Karma
Reply
Solved! Jump to solution

damien_chillet
Builder
‎11-28-2017 01:36 AM

Yea, i forgot to mention duration would be stored under duration field, that's great you found it!

Thanks for accepting my answer and happy Splunking!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...