Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I find the difference in time between two fields in the same event?

LHisham
Engager
‎02-14-2016 01:31 PM

I am fairly new to Splunk so bear with me.

I have extracted two fields and they are ConnectTime and DisconnectTime and are consecutive in my event in that order. I want to find the difference in time between the values in both those fields. Not only that but I want to find the difference in time between both fields in all my events, I then want to create an alert that will notify me when the difference in time between ConnectTime and DisconnectTime is less than 2 seconds.

I am aware that the command I need to use is the "delta" command. I have visited the Splunk Knowledge Page for instructions on how to use the delta command but when I type in "| delta DisconnectTime p=1" I do not get anything in my statistics tab.

Thanks in advance

Reply

ryhluc01
Communicator
‎04-17-2019 09:00 AM

Hello : ) can you select @justinatpnnl 's answer?

0 Karma
Reply

justinatpnnl
Communicator
‎02-14-2016 03:25 PM

If I understand your question correctly, both of these fields are in the same event, so 'Delta' is not the right option for you here. You should be able to use a simple Eval to create a new field in each event:

| eval TimeDifference = DisconnectTime - ConnectTime

Then you can add a simple WHERE statement to limit your events to the ones under two seconds:

| WHERE TimeDifference < 2

This will require that your ConnectTime and DisconnetTime be in epoch format, but if they are simple date strings your can convert them to epoch using strptime().

Reply

sundareshr
Legend
‎02-14-2016 02:19 PM

delta command will work only on the same field in both events. In your example since one field is called ConnectedTime and the other DisconnectedTime, one way would be to do something like this ... ConnectedTime=* OR DisconnectTime=* | eval eventtime=coalesce(ConnectedTime , DisconnectedTime) | delta eventtime as timediff p=1

This should give you time difference in seconds. You can then format the time using .. | fieldformat timediff=tostring(timediff, "duration")

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...