Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to do calculate log time between search result and next row ?

blueyuan
New Member
‎03-25-2016 02:26 AM

Hi All, I am studying splunk recently and need help about some question, thanks.
When I want to search one key word and want to calculate the key word and next row's time, what should I do?

For example:

1 25-Mar-2016 15:26:42.727 AAA

2 25-Mar-2016 15:26:43.420 BBB

3 25-Mar-2016 15:26:44.123 CCC

4 25-Mar-2016 15:26:45.861 AAA

5 25-Mar-2016 15:26:46.678 DDD

If I search AAA, so I can get two row(#1, #4), but I also want to get the time, like #2-#1(25-Mar-2016 15:26:43.420 - 25-Mar-2016 15:26:42.727) and #5-#4(25-Mar-2016 15:26:46.678 - 25-Mar-2016 15:26:45.861).
As a result, I can get the execute time from my key word to next row. Thank you very much.

0 Karma
Reply

somesoni2
Revered Legend
‎03-25-2016 07:42 AM

Try something like this

your current search giving output above | streamstats current=f window=1 values(_time) as prev_time | search filter for AAA | eval duration=prev_time-_time
0 Karma
Reply

blueyuan
New Member
‎03-28-2016 07:07 PM

Thank you for your help.

Sorry, clarify my example again, the raw data as follows(log files):

1 25-Mar-2016 15:26:42.727 mknvuxsgdflfkgnd;flkghj"AAA"dfkjbsljkfnlk;dsjrghfiljkh

2 25-Mar-2016 15:26:43.420 sflknl;kjpothfjhl;'fgj"BBB"ld;kfjgopiehrtoiey

3 25-Mar-2016 15:26:44.123 lk[pulikljs;lknlkaznsdkljafdja;bf;jaf;d"CCC"fsk;hedjfhgj;dgjlf'dkjsieujroiehto;

4 25-Mar-2016 15:26:45.861 hjghjkfghj[dportpwtp[l[yt"AAA",dl;ktypokrp[oytukopknsdjklfgahsd

5 25-Mar-2016 15:26:46.678 mkajerohqauwiheigbsldl"DDD",sodpktpoir[pyujjs;hltfuish;

......

So the row data not only have AAA or BBB..., and data is from original log files.

I used your answer to search, but no results found, so need your help again, thank you very much.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...