Splunk Search

How to generate a search that will combine two events with different fields that contain the same value and calculate response time?

Path Finder

I want to combine two events based on different fields (ID and PARENT_ID) that have the same value and then find the difference of CREATION_TIMESTAMP of event1 and the CREATION_TIMESTAMP of event2, in order to calculate the response time.

event 1

ID =1, PARENT_ID=NULL, CREATION_TIMESTAMP=1478097923354

event 2

ID=2, PARENT_ID=1, CREATION_TIMESTAMP=1478097924800
0 Karma

Super Champion

so when ID=1 and PARENT_ID=1, you want to join?

if so, try something like this:

....|appendpipe [stats max(CREATION_TIMESTAMP) as CREATION_TIMESTAMP2 by PARENT_ID|rename PARENT_ID as ID]|stats values(CREATION_TIMESTAMP) as CREATION_TIMESTAMP values(CREATION_TIMESTAMP2) as CREATION_TIMESTAMP2 by ID|eval timeDiff=CREATION_TIMESTAMP2-CREATION_TIMESTAMP
0 Karma