Solved: How to get duration from start and time two differ...

Sekhar · ‎04-14-2023

I have two events one is

Index=x source type= xx "String" extacted fields s like manid,actionid,batch I'd

2nd event

Index=y source type=y " string recived" extacted fields like manid ,actionid

Calculate the time from 2nd event -1 event .

While calculating the time mandid should same

yuanliu · ‎04-14-2023

Something like

(index=x source type= xx "String") OR (index=y source type=y " string recived")
| stats values(_time) as time values(actionid) as actionid values(batchid) as batchid by manid
| eval duration = max(time) - min(time)

View solution in original post

yuanliu · ‎04-14-2023

Something like

(index=x source type= xx "String") OR (index=y source type=y " string recived")
| stats values(_time) as time values(actionid) as actionid values(batchid) as batchid by manid
| eval duration = max(time) - min(time)

Sekhar · ‎04-14-2023

Result getting fine but want based on the below condition

Calculate the diffe bw start event and end event grouped by manid. And count number mandate exceeding different above 30 seconds

yuanliu · ‎04-14-2023

Then you add calculation based on duration.

| eval excessive = if(duration > 30, duration, null())
| stats count(excessive) as excess_count avg(excessive) as excess_avg by manid

How to get duration from start and time two different events and different index based on the common filed?

join

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!