Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to calculate the time range between two events?

shenjunwei
New Member
‎06-24-2016 12:52 AM

I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n

Time Offset Word1
978         Start                      -------> A.1
1152           Start                           -------> A.2
1358           Start                           -------> A.3
1375           Controller                    -------> B.1
1569           Start                             -------> A.4
1577           Controller                    -------> B.2
1771           Controller                    -------> B.3
1965           Start                              -------> A.5
2095           Controller                     -------> B.4
2167           Start                               -------> A.6
2348           Start                               -------> A.7
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2016 07:22 AM 
  ... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
 | eval timeb1=if(match(_raw,".*B\.1.*"),_time,null()) 
  | eval Tab1=timea1-timeb1 
  | table timea1 timeb2 Tab1

Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.

0 Karma
Reply

shenjunwei
New Member
‎06-26-2016 06:19 PM

Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start

1152 Start

1358 Start

1375 Controller

1569 Start

1577 Controller

1771 Controller

1965 Start

2095 Controller

2167 Start

2348 Start

Is there any way which could calculate the difference between first start and controller, and the subsequence?

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 11:13 AM

Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?

Reply

shenjunwei
New Member
‎06-26-2016 06:13 PM

Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...