Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate the time range between two events?

shenjunwei
New Member
‎06-24-2016 12:52 AM

I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n

Time Offset Word1
978         Start                      -------> A.1
1152           Start                           -------> A.2
1358           Start                           -------> A.3
1375           Controller                    -------> B.1
1569           Start                             -------> A.4
1577           Controller                    -------> B.2
1771           Controller                    -------> B.3
1965           Start                              -------> A.5
2095           Controller                     -------> B.4
2167           Start                               -------> A.6
2348           Start                               -------> A.7
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2016 07:22 AM 
  ... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
 | eval timeb1=if(match(_raw,".*B\.1.*"),_time,null()) 
  | eval Tab1=timea1-timeb1 
  | table timea1 timeb2 Tab1

Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.

0 Karma
Reply

shenjunwei
New Member
‎06-26-2016 06:19 PM

Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start

1152 Start

1358 Start

1375 Controller

1569 Start

1577 Controller

1771 Controller

1965 Start

2095 Controller

2167 Start

2348 Start

Is there any way which could calculate the difference between first start and controller, and the subsequence?

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 11:13 AM

Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?

Reply

shenjunwei
New Member
‎06-26-2016 06:13 PM

Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...