Solved: How to calculate the delta between two time interv...

metylkinandrey · ‎08-24-2022

Good afternoon! We receive messages on splunk.

The task is as follows: there is a time period between the first message and the second, and also between the second and the third. The task is that you need to somehow calculate the delta between these intervals and display it on the dashboard. This is real? And the question is, how can I do this? Is there a rough example? Unfortunately, I have not worked with splunk at all before, so I don’t even know where to start. If you need leading questions, I'm ready to answer.

somesoni2 · ‎08-24-2022

Try something like this (runanywhere sample, change first one with your base search)

index = _internal sourcetype=splunk_web_access 
|  table _time 
|  delta _time as timediff

View solution in original post

somesoni2 · ‎08-24-2022

Try something like this (runanywhere sample, change first one with your base search)

index = _internal sourcetype=splunk_web_access 
|  table _time 
|  delta _time as timediff

metylkinandrey · ‎08-25-2022

Adding "| delta _time as timediff"" in my query:

```

index="bl_logging" sourcetype="testsystem-2"
| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId
| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount
| delta _time as timediff

```

Works great! Thanks a lot!

But as it turned out, my task is a little more difficult.

delta _time as timediff - works great with messages that arrive sequentially, but there is one problem: messages arrive chaotically from different sources. As it turned out, I need to calculate the delta from messages in one thread. Messages in the same thread have a common srcMsgId (not different as I thought), but each message has an individual messageId. Thus, I need the message threads to be grouped by srcMsgId, and the delta is calculated from the messages strictly in this thread (group). Calculate the interval between the first and second messages in the group, the second and third, etc.

Perhaps you know how to edit my request?

somesoni2 · ‎08-25-2022

There might not be an efficient way to do that. You'll have to sort your data by srcMsgId (and time) and then use Delta.

Or you can use following streamstats version of performing the same.

index="bl_logging" sourcetype="testsystem-2"
| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId
| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount
| sort srcMsgId _time
| streamstats current=f window=1 values(_time) as prevTime by subject 
| eval timeDiff=_time-prevTime

metylkinandrey · ‎08-25-2022

Yes, it works, thanks a lot!

```

index="bl_logging" sourcetype="testsystem-2"

| transaction maxpause=5m srcMsgId Correlation_srcMsgId messageId

| table _time srcMsgId Correlation_srcMsgId messageId duration eventcount

| sort srcMsgId _time

| streamstats current=f window=1 values(_time) as prevTime by subject

| eval timeDiff=_time-prevTime

| delta _time as timediff

I added: | delta _time as timediff

```

I checked everything works as it should. Thanks again!

How to calculate the delta between two time intervals for sending messages?

field extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases