Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get time between events during a search?

ayela
Engager
‎06-25-2018 07:24 PM

Hi everyone,

Recently I faced some issues when I try to do an advance search.
My problem : I need to create table that contains : id | duration

  1. I search for the first appearance keyword and get the time. Example : Received 115sd65sa25sa. 115sd65sa25sa is my id and Received is my keyword let say the variable a = _time.
  2. Now for each id I want to search when it was sent (I also have a keyword for that) Example : Sent115sd65sa25sa b=_time
  3. So at the end I should have a table that contains the id and b-a

I tried to use different techniques like map and sub-search but it doesn't seem to work.

Thank you very much

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-26-2018 07:34 PM

Hi @ayela ,

Try this and let me know what's missing

index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" ("Source Message Received" OR "sent")
|eval startime=if(searchmatch("Source Message Received"),_time,null())
|eval endtime=if(searchmatch("sent"),_time,null())
|table _time,startime,endtime,userId
|where (startime!="" OR endtime!="")
|stats latest(startime) as start,latest(endtime) as end by userId
|eval time_diff=end-start
|table userId,time_diff
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎06-26-2018 07:34 PM

Hi @ayela ,

Try this and let me know what's missing

index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" ("Source Message Received" OR "sent")
|eval startime=if(searchmatch("Source Message Received"),_time,null())
|eval endtime=if(searchmatch("sent"),_time,null())
|table _time,startime,endtime,userId
|where (startime!="" OR endtime!="")
|stats latest(startime) as start,latest(endtime) as end by userId
|eval time_diff=end-start
|table userId,time_diff
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

ayela
Engager
‎06-27-2018 09:42 AM

THANK YOU !!!!
you just misspelled starttime but thank you very much !!

0 Karma
Reply
Solved! Jump to solution

amiftah
Communicator
‎06-25-2018 08:48 PM

I used my imagination to try to figure out what you want to achieve, so here's a sample of query it may help you:

| makeresults
| eval id="Received", value="115sd65sa25sa", _time=relative_time(_time, "-2min")
| append
[| makeresults
| eval id="Sent", value="115sd65sa25sa"]
| stats list(id) as id,list(_time) as "time" by value 
| eval a = mvindex(time, 0) 
| eval b = mvindex(time, 1) 
| eval diff=b-a
| eval diff = tostring(diff, "duration")
| fields - id, time,a,b
0 Karma
Reply
Solved! Jump to solution

ayela
Engager
‎06-26-2018 07:02 AM

Thank you for responding.

Sorry if it was not clear.

here's an example pf the query I try to do

index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time

the previous query works it gets all the userId(from the xml) and the initial time

now I want to do something like this :

for each userId
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time)

_time2 is the the time when it was sent
_time is the time we received the id
userId : value of the xml tag

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎06-25-2018 07:38 PM

Hi @ayela ,
Do you have sample events for both received and sent?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

ayela
Engager
‎06-26-2018 07:00 AM

index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "Source Message Received" "_TEST01*" | xmlkv | table userId, _time

the previous query works it gets all the userId and the initial time

now I want to do something like this :

for each userId
index="c" sourcetype="flox:app" laas_env=dev laas_file="/var/tmp/test/logs/dev.log" "sent" "_TEST01" userId | top limit=1 _time | table userId, ( _time2 - _time)

_time2 is the the time when it was sent
_time is the time we received the id
userId : value of the xml tag

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...