Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the amount of time between event A and B into a field?

Jason
Motivator
‎10-04-2010 05:24 PM

Say you have a stream of events, such as web page accesses. There is no field for amount of time on a certain page, so I am interested in getting the time between event A and the next newer event temporally, event B.

I need this difference to appear in a field associated with event A, so I can say a user spent X amount of time at webpage A. This will likely be used in a transaction to differentiate clickstreams by user.

Is there such a thing as "time until next event" ? Any advice would be helpful!

Reply
1 Solution
Solved! Jump to solution
Solution

Jason
Motivator
‎10-05-2010 07:40 PM

Figured it out:

| streamstats range(_time) as Duration window=2

Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!

View solution in original post

Reply
Solved! Jump to solution

blee_i365
Explorer
‎06-08-2011 09:48 AM

Assuming your list of events is in chronological order and belongs to a single user, you can try this:

*| delta _time as timeSpentOnPreviousPage | accum timeSpentOnPreviousPage as totalTime

From your 2nd event on you will get for each event a timeSpentOnPreviousPage and totalTime field containing running time difference between events, and running total time, respectively.

0 Karma
Reply
Solved! Jump to solution
Solution

Jason
Motivator
‎10-05-2010 07:40 PM

Figured it out:

| streamstats range(_time) as Duration window=2

Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!

Reply
Solved! Jump to solution

Jason
Motivator
‎10-05-2010 11:07 PM

It goes in strictly event order, so if you have things like web_page and src_ip, you will need to sort by web_page (or provide some other arguments to streamstats) first, otherwise you will get absolute time between events, not between a particular user's events.

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎10-04-2010 05:43 PM

You should be able to use a transaction command that starts and stops with each event. From there, we automatically create a "duration" field that logs the amount of time between them. Alternatively, you could evaluate the difference in the _time field.

Reply
Solved! Jump to solution

Jason
Motivator
‎10-05-2010 07:21 PM

So, using the alternative method, how would you access a separate event's _time to eval it with the current one?

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎10-05-2010 07:21 PM

I tested and for events A, B, C, D, there are only two transactions, AB and CD. Thus, the time between B and C is inaccessible.

0 Karma
Reply
Solved! Jump to solution

Jason
Motivator
‎10-04-2010 06:01 PM

For events A, B, C, D, would this approach create transactions of A/B, C/D, or A/B, B/C, C/D? If the former, then the B event would get no duration, and disappear from the results.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...