Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I calculate the timediff based on non-sequ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khavildar
Explorer
06-27-2018
03:52 PM
I have a requirement wherein I have to find timedifference of 2 events. Below is an example on the event type:
Host Time SeqID Transaction
a 1:00:00 5 Start
b 1:30:00 7 Start
a 1:45:00 9 Complete
b 2:00:00 14 Complete
a 4:00:00 19 Start
c 4:30:00 23 Start
a 4:45:00 25 Complete
I need to calculate the timedifferences between 'Start' and 'Complete' for every Host using their SeqID.
To translate roughly, its like
concat(hostname,Time@Complete,SeqId@Complete) - concat(hostname,Time@Start,SeqID@Start)
But in the above calculation, i need to ensure the SeqID@Complete is the most numerically nearest one to the SeqID@Start.
Any thoughts / suggestions?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-27-2018
06:29 PM
Hi @khavildar,
Try this
index="your index" "your other search terms"|table _time,host,SeqID ,Transaction|sort host,SeqID |streamstats current=f last(_time) as prev by host|eval time_diff=_time-prev|where Transaction="Complete"|table host,SeqID ,time_diff
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
06-27-2018
06:29 PM
Hi @khavildar,
Try this
index="your index" "your other search terms"|table _time,host,SeqID ,Transaction|sort host,SeqID |streamstats current=f last(_time) as prev by host|eval time_diff=_time-prev|where Transaction="Complete"|table host,SeqID ,time_diff
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khavildar
Explorer
06-28-2018
01:12 PM
Works like a charm! Perfect.
Thanks so much!
Get Updates on the Splunk Community!
Best Strategies to Optimize Observability Costs
Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...
Fueling your curiosity with new Splunk ILT and eLearning courses
At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
