Splunk Search
Highlighted

How do I find the time difference between these two events?

Explorer

Hello,

I have following events:

event 1:

product_category=dvd
product_name="the martian"
event=to_basket
event_time=2016-01-18T19:57:21+0100
...

event2:

product_category=dvd
product_name="the martian"
event=sold
event_time=2016-01-18T20:15:21+0100
...

How can I tell the time difference between 'tobasket' and 'sold' based on productcategory and product_name?

0 Karma
Highlighted

Re: How do I find the time difference between these two events?

SplunkTrust
SplunkTrust

Try something like this

your base search giving above two type of events i.e. event=to_basket OR event=sold | stats values(event_time) as event_time values(event) as event by product_category, product_name | eval Diff=strptime(mvindex(event_time,0),"%Y-%m-%dT%H:%M:%S%z")-strptime(mvindex(event_time,-1),"%Y-%m-%dT%H:%M:%S%z")

View solution in original post

Highlighted

Re: How do I find the time difference between these two events?

Explorer

Perfect, thank you!

0 Karma