I have two or more transactions like this:
Host:abc12301 start:08:00 end:10:00
Host:abc12302 start:09:05 end:11:00
If you look the time windows of the transactions overlap. I would like to be able to calculate the duration of the overlap itself.
Not sure if there is an automated way.
Any help would be appreciated,
Will you always have only two events to match up?
If you will have more than two, will you have them already correlated (like with a
Hey @raynold.peterson, don't forget to accept an answer if one of these solutions worked for you. 🙂 Everyone loves karma points! Happy Splunking!
Adapt one of these -
The basic idea is to break each transaction into two - one that +1s the count at the start, and one that -1s the count at the end. In your use case, any increment of time where the total open count is 2 or more is a unit of overlap.
You can do some crazy stuff with
woodcock splunk answers concurrency and maybe something that I have written before will get you going.