Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate a search that will combine two events with different fields that contain the same value and calculate response time?

arjangoos
Path Finder
‎11-02-2016 08:40 AM

I want to combine two events based on different fields (ID and PARENT_ID) that have the same value and then find the difference of CREATION_TIMESTAMP of event1 and the CREATION_TIMESTAMP of event2, in order to calculate the response time.

event 1

ID =1, PARENT_ID=NULL, CREATION_TIMESTAMP=1478097923354

event 2

ID=2, PARENT_ID=1, CREATION_TIMESTAMP=1478097924800
0 Karma
Reply

cmerriman
Super Champion
‎11-02-2016 09:23 AM

so when ID=1 and PARENT_ID=1, you want to join?

if so, try something like this:

....|appendpipe [stats max(CREATION_TIMESTAMP) as CREATION_TIMESTAMP2 by PARENT_ID|rename PARENT_ID as ID]|stats values(CREATION_TIMESTAMP) as CREATION_TIMESTAMP values(CREATION_TIMESTAMP2) as CREATION_TIMESTAMP2 by ID|eval timeDiff=CREATION_TIMESTAMP2-CREATION_TIMESTAMP
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...