Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do you determine the time difference between two events?

muzicman61
New Member
‎01-21-2019 09:58 AM

So I've read several previous questions on how to get the time difference between events, and they all seem to revolve around the transaction command. But that seems to then group my events and I don't want that.

My search gives me exactly what I want, but I'd simply like to determine the time difference between two events. I'm sure it's simple but I've spent too much time, so now, it is time to ask the community.

Thanks,
Rob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-22-2019 07:30 AM

Should be possible to do that with the | streamstats command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):

...your current search...
| streamstats window=2 range(_time) as timediff

Or alternatively, using the | delta command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

...your current search...
| delta _time as timediff

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎01-22-2019 07:30 AM

Should be possible to do that with the | streamstats command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

In its simplest form, it would look something like this (to add a field in each event with the difference between the _time value of that event and the previous event):

...your current search...
| streamstats window=2 range(_time) as timediff

Or alternatively, using the | delta command. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Delta

...your current search...
| delta _time as timediff
0 Karma
Reply
Solved! Jump to solution

muzicman61
New Member
‎01-22-2019 08:04 AM

Thanks Frank. The delta command did exactly what I needed.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-21-2019 10:06 AM

You should post your query which would make it easier for us to help you. Try adding an eval like this 

| eval New_field_name=time_end - time_start

Replace New_field_name with your new field name. And replace time_end and time_start with your field names

0 Karma
Reply
Solved! Jump to solution

muzicman61
New Member
‎01-21-2019 11:26 AM

Thanks... Here is my query:

sourcetype="QMGR:manager" source="/opt/web/tomcat_instances/logs/tomcat_1/sessionmanager.sm.log.*" action ("540262" OR "15771078996")

But I'm not sure what field names I would substitute in your example.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-22-2019 06:33 AM

You need to list the two fields that represent the start time and end time..

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎01-22-2019 07:28 AM

I think he is asking for time difference between 2 separate events, not the difference between 2 time fields in 1 event.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-22-2019 07:33 AM

Ah I see. He mentioned using the transaction command and finding the difference. Garbage questions get garbage answers

0 Karma
Reply
Solved! Jump to solution

muzicman61
New Member
‎01-22-2019 08:01 AM

Sorry you think my question was garbage. I'm new to Splunk and trying my best to learn. If you read my first post I mention that OTHER posts mention the transaction command but that was not what I wanted as it grouped my transactions. Maybe some people just need to learn how to read.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-22-2019 08:09 AM

You're question was vague with little details. If you want help on here, I'd strongly recommend you try not insulting users and add some effort into your questions..

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...