Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I find the difference in time between two fields in the same event?

LHisham
Engager
‎02-14-2016 01:31 PM

I am fairly new to Splunk so bear with me.

I have extracted two fields and they are ConnectTime and DisconnectTime and are consecutive in my event in that order. I want to find the difference in time between the values in both those fields. Not only that but I want to find the difference in time between both fields in all my events, I then want to create an alert that will notify me when the difference in time between ConnectTime and DisconnectTime is less than 2 seconds.

I am aware that the command I need to use is the "delta" command. I have visited the Splunk Knowledge Page for instructions on how to use the delta command but when I type in "| delta DisconnectTime p=1" I do not get anything in my statistics tab.

Thanks in advance

Reply

ryhluc01
Communicator
‎04-17-2019 09:00 AM

Hello : ) can you select @justinatpnnl 's answer?

0 Karma
Reply

justinatpnnl
Communicator
‎02-14-2016 03:25 PM

If I understand your question correctly, both of these fields are in the same event, so 'Delta' is not the right option for you here. You should be able to use a simple Eval to create a new field in each event:

| eval TimeDifference = DisconnectTime - ConnectTime

Then you can add a simple WHERE statement to limit your events to the ones under two seconds:

| WHERE TimeDifference < 2

This will require that your ConnectTime and DisconnetTime be in epoch format, but if they are simple date strings your can convert them to epoch using strptime().

Reply

sundareshr
Legend
‎02-14-2016 02:19 PM

delta command will work only on the same field in both events. In your example since one field is called ConnectedTime and the other DisconnectedTime, one way would be to do something like this ... ConnectedTime=* OR DisconnectTime=* | eval eventtime=coalesce(ConnectedTime , DisconnectedTime) | delta eventtime as timediff p=1

This should give you time difference in seconds. You can then format the time using .. | fieldformat timediff=tostring(timediff, "duration")

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...