Splunk Search
Highlighted

How to edit my search to calculate the time difference between two events?

Explorer

Hello Splunk'all,

I am trying to derive a simple chart from the data I got here within a Splunk Index. The data consists of epoch time (field name is "transactiontime") and the transaction values. The transactions contains success and failures and every transaction has an epoch timestamp for the transaction occurred.
I am simply trying to create a graph with the data for the time between every failure. For example: in a day, if there are two failures, one at 3 AM and one at 8 PM, I am trying to create a graph and show the time between these two failures (which is 17 Hrs). SO I took some help from a colleague of mine and got to this stage (please see below) and I am able to take two transactions into one field, but the time difference between those epoch values of two transactions are showing wrong.
Please see the search below and let me know for any missing logic I need to incorporate here:

index="dynatrace" transactionname="*"
sort _time| 
search tpf > 0 |
eval cvtime=strftime(transactiontime/1000, "%H:%M:%S %d-%m-%Y") |
transaction host maxevents=2 |
eval mdiff=round(duration)|
table mdiff,cvtime,ttime

Thanks
Vikram Y

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Legend

Try this

*UPDATED*

    index=dynatrace "failed events" transactioname=* |  stats earliest(_time) as start latest(_time) as end by host transactionname | eval duration=tostring(round(end-start, 0), "duration")

View solution in original post

Highlighted

Re: How to edit my search to calculate the time difference between two events?

Explorer

Hi sundar,
I do see your logic here. You took the "_time" and calculated the output based on the parameter we need ("failed events"in this case). I am getting the full list individually now in the output. Thats really good..
I am actually trying to achieve to get the time difference between two individual events and put them into the Visualization in Splunk.

Thanks
Vikram Y

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Explorer

Actually I forgot to notice this before:
eval delta=tostring(_time-prevtime, "duration") is not outputting any value.. Looking more into it.

Thanks
Vikram Yerneni

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Legend

Try this runanywhere sample

index=_internal | streamstats window=1 current=f earliest(_time) as nextTime by host sourcetype | eval duration=nextTime-_time | table _time nextTime duration
0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Explorer

Hey Sundar, I was off for last two days. Let me validate it and will get back to you.
Thanks man..

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Explorer

Hi Sundar,

Yes the "runanywhere sample" worked with output (Duration as "0"). However the earlier query you provided actually is not providing output to eval delta=tostring(_time-prevtime, "duration") |. I do see the logic here taking the previous provided time and subtracting it from _time (current time) which will give the time in between these two events.
Not sure why I did multiple combinations but still its not outputting it.

Any thoughts here..?

Thanks
Vikram Y

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Legend

Try the updated search..

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Explorer

Same response Sundar. Still its showing "Delta" field with blank values. I cant upload a screenshot to this ticket yet as I dont have enough Karma points..

Thanks
Vikram Y

0 Karma
Highlighted

Re: How to edit my search to calculate the time difference between two events?

Legend

What do you get when you run this

index=dynatrace "failed events" | reverse | streamstats window=1 current=f earliest(_time) as prevTime by host transactionname | table host transactionname  _time prevTIme
0 Karma