Splunk Search

How to do calculate log time between search result and next row ?

New Member

Hi All, I am studying splunk recently and need help about some question, thanks.
When I want to search one key word and want to calculate the key word and next row's time, what should I do?

For example:

1 25-Mar-2016 15:26:42.727 AAA

2 25-Mar-2016 15:26:43.420 BBB

3 25-Mar-2016 15:26:44.123 CCC

4 25-Mar-2016 15:26:45.861 AAA

5 25-Mar-2016 15:26:46.678 DDD

If I search AAA, so I can get two row(#1, #4), but I also want to get the time, like #2-#1(25-Mar-2016 15:26:43.420 - 25-Mar-2016 15:26:42.727) and #5-#4(25-Mar-2016 15:26:46.678 - 25-Mar-2016 15:26:45.861).
As a result, I can get the execute time from my key word to next row. Thank you very much.

0 Karma


Try something like this

your current search giving output above | streamstats current=f window=1 values(_time) as prev_time | search filter for AAA | eval duration=prev_time-_time 
0 Karma

New Member

Thank you for your help.

Sorry, clarify my example again, the raw data as follows(log files):

1 25-Mar-2016 15:26:42.727 mknvuxsgdflfkgnd;flkghj"AAA"dfkjbsljkfnlk;dsjrghfiljkh

2 25-Mar-2016 15:26:43.420 sflknl;kjpothfjhl;'fgj"BBB"ld;kfjgopiehrtoiey

3 25-Mar-2016 15:26:44.123 lk[pulikljs;lknlkaznsdkljafdja;bf;jaf;d"CCC"fsk;hedjfhgj;dgjlf'dkjsieujroiehto;

4 25-Mar-2016 15:26:45.861 hjghjkfghj[dportpwtp[l[yt"AAA",dl;ktypokrp[oytukopknsdjklfgahsd

5 25-Mar-2016 15:26:46.678 mkajerohqauwiheigbsldl"DDD",sodpktpoir[pyujjs;hltfuish;


So the row data not only have AAA or BBB..., and data is from original log files.

I used your answer to search, but no results found, so need your help again, thank you very much.

0 Karma