Splunk Search
Highlighted

How do I get the amount of time between event A and B into a field?

Motivator

Say you have a stream of events, such as web page accesses. There is no field for amount of time on a certain page, so I am interested in getting the time between event A and the next newer event temporally, event B.

I need this difference to appear in a field associated with event A, so I can say a user spent X amount of time at webpage A. This will likely be used in a transaction to differentiate clickstreams by user.

Is there such a thing as "time until next event" ? Any advice would be helpful!

Highlighted

Re: How do I get the amount of time between event A and B into a field?

Splunk Employee
Splunk Employee

You should be able to use a transaction command that starts and stops with each event. From there, we automatically create a "duration" field that logs the amount of time between them. Alternatively, you could evaluate the difference in the _time field.

Highlighted

Re: How do I get the amount of time between event A and B into a field?

Motivator

For events A, B, C, D, would this approach create transactions of A/B, C/D, or A/B, B/C, C/D? If the former, then the B event would get no duration, and disappear from the results.

0 Karma
Highlighted

Re: How do I get the amount of time between event A and B into a field?

Motivator

I tested and for events A, B, C, D, there are only two transactions, AB and CD. Thus, the time between B and C is inaccessible.

0 Karma
Highlighted

Re: How do I get the amount of time between event A and B into a field?

Motivator

So, using the alternative method, how would you access a separate event's _time to eval it with the current one?

0 Karma
Highlighted

Re: How do I get the amount of time between event A and B into a field?

Motivator

Figured it out:

| streamstats range(_time) as Duration window=2

Makes a handy Duration field, for each event giving the time between it and the event after it. Does what I need it to!

View solution in original post

Highlighted

Re: How do I get the amount of time between event A and B into a field?

Motivator

It goes in strictly event order, so if you have things like webpage and srcip, you will need to sort by web_page (or provide some other arguments to streamstats) first, otherwise you will get absolute time between events, not between a particular user's events.

0 Karma
Highlighted

Re: How do I get the amount of time between event A and B into a field?

Explorer

Assuming your list of events is in chronological order and belongs to a single user, you can try this:

*| delta _time as timeSpentOnPreviousPage | accum timeSpentOnPreviousPage as totalTime

From your 2nd event on you will get for each event a timeSpentOnPreviousPage and totalTime field containing running time difference between events, and running total time, respectively.

0 Karma