@gcusello 
NOT working
The search find events but statistics as no value

Hi @DPOIRE,

could you share your full search?

Ciao.

Giuseppe

@gcusello 

index=indexname ("log_processed.destAppName"=app1 "log_processed.message"="Publish Take Message")
OR ("log_processed.destAppName"="app2" "log_processed.srcAppName"=app3)
| eval "newtime"=strptime("log_processed.@timestamp","%Y-%m-%dT%H:%M:%S.%2N%:z")
| stats range("newtime") as Delay by "log_processed.logId"
| stats max(Delay)

@gcusello 

For each log_processed.logId it returns 2 events for which I want to calculate the time difference in the "log_processed.@timestamp" field

Hi @DPOIRE,

at first avoid dots, spaces or special chars in field names, if you have rename them, to be more sure!

, so range function should run, but to debug your search use manuale calculation of range:

index=indexname ("log_processed.destAppName"=app1 "log_processed.message"="Publish Take Message")
OR ("log_processed.destAppName"="app2" "log_processed.srcAppName"=app3)
| rename "log_processed.@timestamp" AS timetamp
| eval newtime=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%2N%:z")
| stats earliest(newtime) AS earliest latest(newtime) AS latest values(timestamp) AS timestamp BY "log_processed.logId"
| eval Delay=latest-earliest
| stats max(Delay) values(timestamp) AS timestamp 

In this way you manually calculate Delay and you display the values of starting and ending time.

Ciao.

Giuseppe

@gcusello 
Hi,
Function is still not working, no values displayed in the Statistic window.
However, in the Events window, I see in the left pane the timestamp field.
Looks like the timestamp values are not recognized as epoch time format.
timestamp field

Hi @DPOIRE,

analyzing your screenshot I see a difference in the time format of timestamp: there are three milliseconds and not two as the sample you shared, so please, use %3N insted of %2N in the eval command.

This explain the reading problem.

Ciao.

Giuseppe

Hi @DPOIRE,

are you sure that the name of the field timestamp originally is "log_processed.@timestamp"?

You can see it using the main search without the other parts of the search.

Ciao.

Giuseppe

Actually, from what I see (previous printscreen) the strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%2N%:z") function conversion does not seem to work.

Hi @DPOIRE,

to be sure about the convertion in epochtine, please run this:

index=indexname ("log_processed.destAppName"=app1 "log_processed.message"="Publish Take Message")
OR ("log_processed.destAppName"="app2" "log_processed.srcAppName"=app3)
| rename "log_processed.@timestamp" AS timetamp
| eval newtime=strptime(timestamp,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| table _time newtime timestamp

each row should have all the three values if not the problem is in the convertion.

Ciao.

Giuseppe

@gcusello 

newtime and timestamp have no values(blank)

tried, makes no difference

@gcusello 
Found something
Typo in the rename command for timestamp.
That why it is not working (I copied your stuff all the time)

Will redo tests without typo

Hi @DPOIRE,

no, no problem, it's important that there's the correct solution for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉