Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to retrieve specific timestamps for specific values ?

malice
Observer
‎11-14-2021 05:30 AM

Hello everyone,

I am currently developing a use case in which I have the below info:

Username

User Status

User Code

Time of Event per User Status update

user A

0

0

1

1

xxxxx

2021-11-13 22:22:15

2021-11-13 23:40:09

2021-11-13 23:45:09

2021-11-13 23:50:09

user B

0

1

yyyyy

2021-11-13 22:40:09

2021-11-13 22:50:09

user A

0

1

1

ggggg

2021-11-13 22:50:09

2021-11-13 22:55:09

2021-11-13 22:58:09

 

I would like  to find for each user the time difference between the timestamps of the first occurrence of status 0 and then the first occurrence of status 1.

So based on the above table, I would like to extract the timestamp of 2021-11-13 22:22:15 for User Status 0 and the timestamp 2021-11-13 23:45:09 for User Status 1 for the user A.

 

So my search query so far looks like it:

 

| my index
| sort UserStatus

| transaction mvlist=true Username UserStatus | search eventcount >1 | UserStatus =0 and UserStatus=1

 

Any help will be much appreciated! Thanks 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-14-2021 10:00 AM

What is your original data? Because this already looks like some calculated stats table.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2021 05:52 AM

Try something like this

| stats earliest(_time) as time by Username 'User Status'
| eval time0=if('User Status'=0,time,null())
| eval time1=if('User Status'=1,time,null())
| stats values(time0) as time0 values(time1) as time1 by Username
| eval diff=time1-time0
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...