Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to inner join with field subtraction on two fields part of different searches?

batham
Explorer
‎01-30-2023 01:00 PM

Hi,

I am using inner join to form a table between 2 search, search is working fine but i want to subtract 2 fields in which one field is part of one search and another field is part of next search, I am displaying response in a table which  contains data from both search

 

 example

line1: datetime: , trace: 12345 , Request Received: {1}, URL:http://

line2:datetime: , trace: 12346 , Request Received: {2}, URL:http://

line3:datetime: , trace:12345 , Reponse provided: {3}

line4:datetime: ,trace:12346 , Reponse provided :{4}

 

In line1 and line 3 trace is common field and so is in line 1 and line 4

i have combined the result as

.... | table trace, Request,startTime
| join type=Inner trace
[ search .........
| table trace, Response,  EndTime]

Which is giving me response as below

trace      request     startTime     response     EndTime

12345   {1}                    09:18:20      {3}.              09:18:50

12346   {2}                   09:19:20       {4}.               09:20:21

I want to find out response time subtractingEndTime - startTime. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

batham
Explorer
‎01-30-2023 02:31 PM

Figured out the solution.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

batham
Explorer
‎01-30-2023 02:31 PM

Figured out the solution.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2023 01:36 PM

To subtract times, you first must convert the times into integer (epoch) form using strptime().

.... | table trace, Request,startTime
| join type=Inner trace
[ search .........
| table trace, Response,  EndTime]
| eval ST=strptime(startTime, "%H:%M:%S"), ET=strptime(EndTime, "%H:%M:%S")
| eval ResponseTime = ET - ST
| eval ResponseTime = tostring(ResponseTime, "duration")
| table trace request starTime response EndTime ResponseTime

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...