Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you calculate the time between events with the streamstats command?

splunkreal
Motivator
‎11-14-2018 04:20 PM

Hello guys,

I have data like this using Splunk 7.1 and I would like to calculate minutes between start and end of each event :

example (order can change) :

_time field1 status
2018-11-15 00:10 AAA1 start
2018-11-15 00:15 AAA2 start
2018-11-15 00:17 AAA1 end
2018-11-15 00:20 AAA2 end
2018-11-15 00:25 AAA3 start
2018-11-15 00:26 AAA3 end

I think I should group by field1 and time then calculate using streamstats.

Thanks for your help.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-14-2018 04:45 PM

hello there,

here is one way using stats
run the example below anywhere:

| makeresults count=1
| eval data = "2018-11-15 00:10 AAA1 start;
2018-11-15 00:15 AAA2 start;
2018-11-15 00:17 AAA1 end;
2018-11-15 00:20 AAA2 end;
2018-11-15 00:25 AAA3 start;
2018-11-15 00:26 AAA3 end"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<event_time>\S+\s\S+)\s(?<event_id>[^\s]+)\s(?<start_or_end>\S+)"
| table event_time event_id start_or_end
| rename COMMENT as "the above generates fake data, below is the solution"
| eval start_time = if(start_or_end="start",event_time,null())
| eval end_time = if(start_or_end="end",event_time,null())
| stats values(*_time) as *_time by event_id
| eval start_time_epoch = strptime(start_time, "%Y-%m-%d %H:%M")
| eval end_time_epoch = strptime(end_time, "%Y-%m-%d %H:%M")
| eval duration_in_secondes = end_time_epoch - start_time_epoch

screenshot:
alt text

hope it helps

View solution in original post

Preview file
121 KB
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎11-14-2018 04:45 PM

hello there,

here is one way using stats
run the example below anywhere:

| makeresults count=1
| eval data = "2018-11-15 00:10 AAA1 start;
2018-11-15 00:15 AAA2 start;
2018-11-15 00:17 AAA1 end;
2018-11-15 00:20 AAA2 end;
2018-11-15 00:25 AAA3 start;
2018-11-15 00:26 AAA3 end"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<event_time>\S+\s\S+)\s(?<event_id>[^\s]+)\s(?<start_or_end>\S+)"
| table event_time event_id start_or_end
| rename COMMENT as "the above generates fake data, below is the solution"
| eval start_time = if(start_or_end="start",event_time,null())
| eval end_time = if(start_or_end="end",event_time,null())
| stats values(*_time) as *_time by event_id
| eval start_time_epoch = strptime(start_time, "%Y-%m-%d %H:%M")
| eval end_time_epoch = strptime(end_time, "%Y-%m-%d %H:%M")
| eval duration_in_secondes = end_time_epoch - start_time_epoch

screenshot:
alt text

hope it helps

Preview file
121 KB
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...