Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the time range between two events?

shenjunwei
New Member
‎06-24-2016 12:52 AM

I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n

Time Offset Word1
978         Start                      -------> A.1
1152           Start                           -------> A.2
1358           Start                           -------> A.3
1375           Controller                    -------> B.1
1569           Start                             -------> A.4
1577           Controller                    -------> B.2
1771           Controller                    -------> B.3
1965           Start                              -------> A.5
2095           Controller                     -------> B.4
2167           Start                               -------> A.6
2348           Start                               -------> A.7
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2016 07:22 AM 
  ... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
 | eval timeb1=if(match(_raw,".*B\.1.*"),_time,null()) 
  | eval Tab1=timea1-timeb1 
  | table timea1 timeb2 Tab1

Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.

0 Karma
Reply

shenjunwei
New Member
‎06-26-2016 06:19 PM

Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start

1152 Start

1358 Start

1375 Controller

1569 Start

1577 Controller

1771 Controller

1965 Start

2095 Controller

2167 Start

2348 Start

Is there any way which could calculate the difference between first start and controller, and the subsequence?

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 11:13 AM

Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?

Reply

shenjunwei
New Member
‎06-26-2016 06:13 PM

Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...