Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can i calculate the time difference with 1 key value and 1 col of data?

Felipe_Barahona
Engager
‎03-05-2021 06:55 AM

Hi there Splunkers,

Maybe the title is a little bit weird but the point is, We have an entity who travel between 2 localizations and we can only register the time when he leave our localization, the problem is I want to calculate the amount of time the entity was outside delivering items.

So the data we managed is something like this

index=main vehicle_patent=LXHH63 Date=1/7/2021
| sort + id
| table id, vehicle_patent, Date, Time

IDvehicle patentDateTime
63LXHH631/7/20215:24:12
73LXHH631/7/202112:07:05
76LXHH631/7/202114:43:57
79LXHH631/7/202116:49:49
85LXHH631/7/202118:56:31
86LXHH631/7/202122:07:51

 

As you can see the ID value changes because of each entity leaving the place, and this is filtered to only show 1 entity a specific day.

And my output table should look something like this,

IDvehicle patentDateTimeTime_Before*Time_After*Diff
63LXHH631/7/20215:24:125:24:125:24:120:00:00
73LXHH631/7/202112:07:055:24:1212:07:056:42:53
76LXHH631/7/202114:43:5712:07:0514:43:572:36:52
79LXHH631/7/202116:49:4914:43:5716:49:492:05:52
85LXHH631/7/202118:56:3116:49:4918:56:312:06:42
86LXHH631/7/202122:07:5118:56:3122:07:513:11:20


*: Optional to be shown

Is this even possible or I'm asking a bit to much? I've been trying for a whole week and no result so far.

Thanks before hands.

Labels (3)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 07:55 AM

This query gets you the non-optional fields.

| makeresults | eval _raw="ID	vehicle patent	Date	Time
63	LXHH63	1/7/2021	5:24:12
73	LXHH63	1/7/2021	12:07:05
76	LXHH63	1/7/2021	14:43:57
79	LXHH63	1/7/2021	16:49:49
85	LXHH63	1/7/2021	18:56:31
86	LXHH63	1/7/2021	22:07:51" | multikv forceheader=1
```The above just sets up test data```
```Parse the date/time into an integer so we can compute the diff```
| eval epoch=strptime(Date."T".Time,"%m/%d/%YT%H:%M:%S")
```Compute the diff```
| streamstats range(epoch) as Diff
| eval Diff=round(Diff,0)
```Present the Diff field in H:M:S format```
| fieldformat Diff=tostring(Diff,"duration")
| table ID vehicle_patent Date Time Diff
---
If this reply helps you, Karma would be appreciated.
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 09:02 AM

This also works if window=2 is included on the streamstats

| makeresults | eval _raw="ID	vehicle patent	Date	Time
63	LXHH63	1/7/2021	5:24:12
73	LXHH63	1/7/2021	12:07:05
76	LXHH63	1/7/2021	14:43:57
79	LXHH63	1/7/2021	16:49:49
85	LXHH63	1/7/2021	18:56:31
86	LXHH63	1/7/2021	22:07:51" | multikv forceheader=1
| eval epoch=strptime(Date."T".Time,"%m/%d/%YT%H:%M:%S")
| streamstats window=2 range(epoch) as Diff
| eval Diff=round(Diff,0)
| fieldformat Diff=tostring(Diff,"duration")
| table ID vehicle_patent Date Time Diff

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-05-2021 07:17 AM

You could use autoregress the get the value from the previous row.

| autoregress time as time_before p=1

Then you can do you difference calculation between time and time_before

Reply

Felipe_Barahona
Engager
‎03-05-2021 07:57 AM

Never heard of that function before, and it will be pretty useful. THANKS A LOT.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...