Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the _time difference in a list of eventTypes by algorithm (non-sequencial order)?

iamsplunker
Communicator
‎08-05-2021 03:09 PM

Hello Splunk Community

I'm working on a SPL to give _time difference of list of eventTypes as per the algorithm. Currently I'm using the below query.

index=apple source=datapipe AccountNumber=*

eventType=newyork          OR                              

eventType=california         OR                            

eventType=boston             OR                            

eventType=houston           OR                           

eventType=dallas                OR                        

eventType=austin               OR                          

eventType=Irvine                OR                       

eventType=Washington      OR                     

eventType=Atlanta               OR                      

eventType=San Antonio      OR                 

eventType=Brazil                   OR                 

eventType=Mumbai              OR                     

eventType=Delhi                    OR                   

|fieldformat _time=strftime(_time,"%m/%d/%Y%I:%M:%S %p")

|sort by AccountNumber,_time

|streamstats  range(_time) as diff window=2

|eval DifferenceInTimeByEventtime=strftime(diff,"%M:%S")

|table AccountNumber eventType _time DifferenceInTimeByEventtime

The query is working..However I need the time difference as per the algorithm. NOT ONLY as per the previous event .The algorithm is as follows

A    eventType=newyork                                   

B    eventType=california            B-A                        

C    eventType=boston                C-B                                 

D    eventType=houston             D-C                                

E     eventType=dallas                  E-D                    

F     eventType=dallas                   F-D                   

G     eventType=Irvine                 G-E                       

H     eventType=Irvine                  H-F       

I      eventType=Atlanta                I-H                      

J    eventType=San Antonio         J-I                 

K   eventType=San Antonio         K-I                             

L    eventType=Mumbai               L-I                    

M   eventType=Delhi                    M-I

I'm looking for a

  1. _time difference according to the algorithm above
  2. Add Avg,Max,Min column to the search    

I would appreciate if there is a query optimization

Thanks in Advance.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-05-2021 03:47 PM

Why isn't I I-G and L L-J and M M-L as these would seem to fit a pattern or are these completely arbitrary which would make optimising the search rather difficult?

0 Karma
Reply

iamsplunker
Communicator
‎08-05-2021 04:17 PM

@ITWhisperer : That's an algorithm .. and need to calculate the difference in that format. I'm thinking ..May be  writing a sub search for each event type and give the logic for the calculation may work?

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-06-2021 12:45 AM

Try a case function e.g. case(row="B", timefromB-timefromA,row="C",timefromC-timefromB,...) where timefrom can be mvindex of all the times e.g. timefromA is mvindex(times,0). You can generate times with eventstats list(_time) as times

0 Karma
Reply

iamsplunker
Communicator
‎08-24-2021 03:41 PM

@ITWhisperer : 

I'm able to write the query for the difference ..however I'm not able to map the difference with _time. Is this something you could help?

I used the below query to get the difference as per the algorithm (D1,D2,D3 .. are difference, E as EventType T as _time)

| sort by _time,AccountNumber
| stats list(eventType) as E list(_time) as T by AccountNumber
| eval T0=(mvindex(T,0))
| eval T1=(mvindex(T,1))
| eval D1=T1-T0
| fieldformat D1= strftime(D1,"%M:%S")

| eval T2=(mvindex(T,2))
| eval T3=(mvindex(T,3))
| eval D2=T2-T1
| fieldformat D2= strftime(D2,"%M:%S")

| eval T4=(mvindex(T,4))
| eval T5=(mvindex(T,5))
| eval D3=T3-T2
| fieldformat D3= strftime(D3,"%M:%S")

---
| table AccountNumber E T D1 D2 D3 D4 D5

My resultes are showing like this

AccountNumber             E                     T                         D1          D2        D3         D4              D5

123456789              NewYork    1/1/2021:12:30    30:00  30:00  30:00   30:00       30:00
                                       California  1/1/2021:01:00
                                       Boston       1/1/2021:01:30
                                      Houston      1/1/2021:02:00
                                       Dallas          1/1/2021:02:30

I do not want the D1,D2,D3,D4,D5 Columns .. I want Difference Column Mapped with T (side by side)along with AccountNumber E T. Please help

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...