Splunk Search

## Finding length of time that a field remains the same.

Communicator

I've got some logs where a certain field ('randomletter') is normally X, but occasionally changes to Y (or even Z!)

I would like to get a list of all the instances, and for how long it was reported as not being X.

I was hoping I could just use the `transaction` command to give me a list with the new field 'duration'.

``````search | transaction randomletter | search NOT randomletter="X"
``````

This of course doesn't give me what I want though... it groups huge swathes of events together, consecutive or not. Talking about 'consecutive', the 'connected' parameter gave me a glimmer of hope but that doesn't do it..

In the end, I'm looking for a list of times based on consecutive events where 'randomletter' did not change, as well as a duration of that 'not-changingness'.

Anyway, hopefully a simple question, someone must have done it before! Anyone any ideas? ๐

Tags (3)
1 Solution
Splunk Employee
``````... | streamstats window=2 current=t
first(randomletter) as newletter
last(randomletter) as prevletter
| where newletter!=prevletter
| streamstats window=2 current=t
first(_time) as changedtime
| eval duration=changedtime-_time
| table _time,newletter,duration
``````

I may have the duration offset by one, depending if you mean the duration the of the current letter, or the duration until the current letter changed.

Splunk Employee
``````... | streamstats window=2 current=t
first(randomletter) as newletter
last(randomletter) as prevletter
| where newletter!=prevletter
| streamstats window=2 current=t
first(_time) as changedtime
| eval duration=changedtime-_time
| table _time,newletter,duration
``````

I may have the duration offset by one, depending if you mean the duration the of the current letter, or the duration until the current letter changed.

State of Splunk Careers