Solved: Finding Timings Between Multiple Events

Razziq · ‎03-09-2021

Hello,

I am trying to find the timings between multiple calls under the same extracted field of InterchangeId. When using streamstats range(_time), I get the timing between the calls, however the first call in order of time has the total time and the last call has a 0 value. I am trying to determine how long it takes between each call in the correct order without it aggregating one of the calls to the total timing value.

Below is a screenshot of the results as well as the search. I appreciate any help with this!

richgalloway · ‎03-09-2021

Use the window option of streamstats to limit the range calculation to the current row and the previous row.

| streamstats window=1 range(_time) as Difference by InterchangeID

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-09-2021

Use the window option of streamstats to limit the range calculation to the current row and the previous row.

| streamstats window=1 range(_time) as Difference by InterchangeID

---
If this reply helps you, Karma would be appreciated.

Razziq · ‎03-09-2021

@richgalloway Thank you! I was able to add window=2 to the search and verified that the timings look accurate after finding the total time and checking against each individual row's timing. For some reason window=1 resulted in all 0 results, but 2 worked as expected. Thanks again!

Finding Timings Between Multiple Events

chart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases