Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create an accumulated time difference c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create an accumulated time difference column that, upon reaching a certain value, resets to the current row's time difference?
Joni123
New Member
03-26-2015
06:01 AM
Hi,
I'm looking for a way to add an accumulated time difference column - but one that will "zero" every time it reaches a certain value (in this case, 2)
I'm looking for a command (or set of commands...) that will run automatically and offer indefinite "zeroing" events.
The current search I have is:
| sort 0 uuid _time
| streamstats current=f last(_time) as last_time by user_id session_id
| eval diff=(_time-last_time)/60
| streamstats current=t sum(diff) as accum_diff by user_id session_id
| table _time user_id session_id _time last_time diff accum_diff
And the result is:
_time |user_id|session_id|last_time | diff |accum_diff
10:35:01| 1 | 1A | | |
10:39:49| 1 | 1A |1427304901| 4.8 | 4.8
10:39:50| 1 | 1A |1427305189| 0.02 | 4.82
10:41:19| 1 | 1A |1427305190| 1.48 | 6.3
10:41:25| 1 | 1A |1427305279| 0.1 | 6.4
10:41:56| 1 | 1A |1427305285| 0.52 | 6.92
10:42:43| 1 | 1A |1427305316| 0.78 | 7.7
10:43:13| 1 | 1B | | |
10:43:52| 1 | 1B |1427305393| 0.65 | 0.65
10:43:53| 1 | 1B |1427305432| 0.02 | 0.67
10:43:55| 1 | 1B |1427305433| 0.03 | 0.7
10:44:19| 1 | 1B |1427305435| 0.4 | 1.1
10:44:23| 1 | 1B |1427305459| 0.07 | 1.17
10:44:25| 1 | 1B |1427305463| 0.03 | 1.2
10:45:13| 1 | 1B |1427305465| 0.8 | 2
08:01:13| 2 | 1B | | |
08:01:30| 2 | 2A |1427295673| 0.28 | 0.28
08:02:25| 2 | 2A |1427295690| 0.92 | 1.2
08:02:41| 2 | 2A |1427295745| 0.27 | 1.47
08:03:15| 2 | 2A |1427295761| 0.57 | 2.03
08:03:56| 2 | 2A |1427295795| 0.68 | 2.72
08:05:47| 2 | 2A |1427295836| 1.85 | 4.57
08:05:55| 2 | 2A |1427295947| 0.13 | 4.7
08:06:15| 2 | 2A |1427295955| 0.33 | 5.03
08:06:34| 2 | 2A |1427295975| 0.32 | 5.35
08:07:00| 2 | 2A |1427295994| 0.43 | 5.78
How can I zero "accum_diff" and have it accumulate "diff" once it hit 2?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vganjare
Builder
04-29-2015
01:50 AM
Hi,
You can use custom search command for getting desired result. The custom search command is a python script which will get access to all the data result. Using small python code, this functinality can be achieved. More details @ http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vganjare
Builder
04-28-2015
12:11 AM
Can you please provide the expected output?
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Joni123
New Member
04-29-2015
12:20 AM
Yes - should look like this - when accum_diff=2, it zeros and starts the sum again in the next record:
_time |user_id|session_id|last_time | diff |accum_diff_max_2
10:35:01| 1 | 1A | | |
10:39:49| 1 | 1A |1427304901| 4.8 | 4.8
10:39:50| 1 | 1A |1427305189| 0.02 | 0.02
10:41:19| 1 | 1A |1427305190| 1.48 |1.5
10:41:25| 1 | 1A |1427305279| 0.1 | 1.6
10:41:56| 1 | 1A |1427305285| 0.52 | 2.12
10:42:43| 1 | 1A |1427305316| 0.78 | 0.78
10:43:13| 1 | 1B | | |
10:43:52| 1 | 1B |1427305393| 0.65 | 0.65
10:43:53| 1 | 1B |1427305432| 0.02 | 0.67
10:43:55| 1 | 1B |1427305433| 0.03 | 0.7
10:44:19| 1 | 1B |1427305435| 0.4 | 1.1
10:44:23| 1 | 1B |1427305459| 0.07 | 1.17
10:44:25| 1 | 1B |1427305463| 0.03 | 1.2
10:45:13| 1 | 1B |1427305465| 0.8 | 2
08:01:13| 2 | 1B | | |
08:01:30| 2 | 2A |1427295673| 0.28 | 0.28
08:02:25| 2 | 2A |1427295690| 0.92 | 1.2
08:02:41| 2 | 2A |1427295745| 0.27 | 1.47
08:03:15| 2 | 2A |1427295761| 0.57 | 2.03
08:03:56| 2 | 2A |1427295795| 0.68 | 0.68
08:05:47| 2 | 2A |1427295836| 1.85 | 2.53
08:05:55| 2 | 2A |1427295947| 0.13 | 0.13
08:06:15| 2 | 2A |1427295955| 0.33 | 0.46
08:06:34| 2 | 2A |1427295975| 0.32 | 0.78
08:07:00| 2 | 2A |1427295994| 0.43 | 1.21
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Cisco Live 2026 is almost here, and this ...
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Hello Splunkers,
So you searched, “what is the name of the usb key inserted by bob smith?”
Not gonna lie… ...
Automating Threat Operations and Threat Hunting with Recorded Future
Automating Threat Operations and Threat Hunting
with Recorded Future
June 29, 2026 | Register
Is your ...
