Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the time range between two events?

shenjunwei
New Member
‎06-24-2016 12:52 AM

I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n

Time Offset Word1
978         Start                      -------> A.1
1152           Start                           -------> A.2
1358           Start                           -------> A.3
1375           Controller                    -------> B.1
1569           Start                             -------> A.4
1577           Controller                    -------> B.2
1771           Controller                    -------> B.3
1965           Start                              -------> A.5
2095           Controller                     -------> B.4
2167           Start                               -------> A.6
2348           Start                               -------> A.7
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-25-2016 07:22 AM 
  ... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
 | eval timeb1=if(match(_raw,".*B\.1.*"),_time,null()) 
  | eval Tab1=timea1-timeb1 
  | table timea1 timeb2 Tab1

Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.

0 Karma
Reply

shenjunwei
New Member
‎06-26-2016 06:19 PM

Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start

1152 Start

1358 Start

1375 Controller

1569 Start

1577 Controller

1771 Controller

1965 Start

2095 Controller

2167 Start

2348 Start

Is there any way which could calculate the difference between first start and controller, and the subsequence?

0 Karma
Reply

sundareshr
Legend
‎06-24-2016 11:13 AM

Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?

Reply

shenjunwei
New Member
‎06-26-2016 06:13 PM

Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...