How to extract time interval between each near two...

JSIrony · ‎03-06-2022

hi, I'm finding how to calculate each time difference from near 2 events

for example,

if my search output is

f1 datetime

A ~~ 09:00

A ~~ 10:00

A ~~ 15:00

B ~~ 06:00

B ~~ 08:30

I want a table like

A 1:00

A 5:00

B 2:30

I prefer to print it without making big temporary output table(for look-up or etc) if I can

can I get some ideas?

ITWhisperer · ‎03-07-2022

Assuming you have the times (_time) in epoch format

| streamstats range(_time) as timediff window=2 global=f by f1
| where timediff>0
| eval timediff=tostring(timediff,"duration")

yuanliu · ‎03-06-2022

Are you looking for delta?

| delta _time as timedelta

JSIrony · ‎03-06-2022

thanks 🙂

I considered about delta, but it can't be grouped by another field (like f1 in question i wrote)

now I'm trying using streamstats-range-window=2 with time sorted table like this

| streamstats window=2 range(_time) by f1

are there other better solutions?

yuanliu · ‎03-06-2022

If groupby is a requirement (not quite clear in OP), streamstats is the answer.

How to extract time interval between each near two events?