Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference between two different searches for a common field?

akidua
Explorer
‎03-06-2023 09:28 AM

I have 2 different search queries and I want to calculate sum of differences between time of event 1 and event 2 (in hours) for a common field (customID)

Query 1:
index=xacin sourcetype="xaxd" "*Completed setting deactivation timer for*" OR "grace period" | rex "[cC]ustom:(?<customID>\w+)"| dedup customID| eval ltime=_time

customIDltime
wj1678118565.572
bi8m1678089668.915
nri1678060951.505


Query 2:
index=xacin sourcetype="xaxd" "*StatusHandler - Completed moving *" | rex "custom:(?<customID>\w+)"| dedup customID |eval rtime=_time

customIDrtime
bi8m1678118477.707
a2su1678118456.775
ceo1678118425.484
nri1678089748.844


Since bi8m and nri are common customID, I need to output : (1678118477.707-1678089668.915) + (1678089748.844 -1678060951.505) = 57606.131 

I tried to come up with the following query but clearly it's not working:

index=xacin sourcetype="xaxd" "*Completed setting deactivation timer for*" OR "grace period" | rex "[cC]ustom:(?<customID>\w+) "| dedup customID| eval ltime=_time | append [search index=xacin sourcetype="xaxd" "*StatusHandler - Completed moving *" | rex "custom:(?<customID>\w+)"| dedup customID| eval rtime=_time | stats count by customID | where count > 1 | eval time_diff=(rtime-ltime)| stats sum(time_diff)

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2023 09:46 AM

Hi @akidua,

you could try something like this:

index=xacin sourcetype="xaxd" ("*Completed setting deactivation timer for*" OR "grace period" OR "*StatusHandler - Completed moving *"
| rex "[cC]ustom:(?<customID>\w+)"
| rex "custom:(?<customID>\w+)"
| eval 
  rtime=if(searchmatch(like(("%StatusHandler - Completed moving %"),_time,""),
  ltime=if(searchmatch(like(("%StatusHandler - Completed moving %"),"",_time)
| stats earliest(rtime) AS rtime latest(ltime) AS latest count BY customID 
| where count > 1 
| eval time_diff=(rtime-ltime)
| stats sum(time_diff)

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

akidua
Explorer
‎03-10-2023 08:06 AM

Thanks @gcusello ..i used a modified version of this and it worked.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2023 11:07 PM

Hi @akidua ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-06-2023 09:46 AM

Hi @akidua,

you could try something like this:

index=xacin sourcetype="xaxd" ("*Completed setting deactivation timer for*" OR "grace period" OR "*StatusHandler - Completed moving *"
| rex "[cC]ustom:(?<customID>\w+)"
| rex "custom:(?<customID>\w+)"
| eval 
  rtime=if(searchmatch(like(("%StatusHandler - Completed moving %"),_time,""),
  ltime=if(searchmatch(like(("%StatusHandler - Completed moving %"),"",_time)
| stats earliest(rtime) AS rtime latest(ltime) AS latest count BY customID 
| where count > 1 
| eval time_diff=(rtime-ltime)
| stats sum(time_diff)

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...