Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you calculate time difference between multiple events that aren't in chronological order?

puneetkharband1
Path Finder
‎10-18-2018 11:24 AM

I have 6 events. Each one has a timestamp, and I have extracted the time of each into a new field using eval. But now, I am not able to create timedifference between event6-event1 or event4-event3 as per my needs.

I do not want to use the transaction command as I need to write multiple searches, and I am trying to solve this in search.

I am at a point where my last seach line is 

| table Fourm_step_1_Time Fourm_step_2_Time Fourm_step_3_Time Fourm_step_4_Time Fourm_step_5_Time Fourm_step_6_Time

results are
0 0
0 0
0 0
0 0
0 123435453
1234545433 0
so on
@somesoni2

0 Karma
Reply

ehollima
Path Finder
‎10-18-2018 04:49 PM

When I am looking for time skews I use the following (credit to Hunter for the SPL)

index= earliest=-1m latest=+24h
| stats latest(_time) AS time by host
| eval now=now()
| eval offset=time-now
| eval time1=strftime(time,"%F - %T")
| eval now1=strftime(now,"%F - %T %Z")
| eval offset1=tostring(offset,"duration")
| convert ctime(time), ctime(now)
| table host offset offset1 time now now1 time1

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...