Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search the duration between two events ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Hi everyone. I need to find out the duration between two events in the same field. My table is like this:
user entry type timestamp
raju in epochtime
raju out epochtime
help me guys ....thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this. The chart command should create fields with same name as values in the field "entry type". The same field names will be used to calculate duration. If the values for the field "entry type" are not 'in' and 'out', you'd need to update those in line 3.
your current search giving fields user "entry type" timestamp
| chart values(timestamp) over user by "entry type"
| eval duration=out-in
| table user in out duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this. The chart command should create fields with same name as values in the field "entry type". The same field names will be used to calculate duration. If the values for the field "entry type" are not 'in' and 'out', you'd need to update those in line 3.
your current search giving fields user "entry type" timestamp
| chart values(timestamp) over user by "entry type"
| eval duration=out-in
| table user in out duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if either of these works:
If every userName data exists only once for in and out events so that we can use username to group all the activities from "in" to "out" as transaction events user did, then use:
index=yourIndexyour sourcetype=yourSourceType "entry type"="in" OR "entry type"="out"
| transaction user
| table user, duration
Above also assumes the timestamp are of same format.
If username data exists for more than one in and out events where user might have come in and gone out more than once they try this:
index=yourIndexyour sourcetype=yourSourceType "entry type"="in" OR "entry type"="out"
| sort user, timestamp
| autoregress user as newUserName p=1
| autoregress timestamp as newTimeStamp p=1
| eval durationTime=(timestamp-newTimeStamp)
| eval userDuration=if( user=newUserName AND 'entry type'="out"), durationTime, 0)
| table user, userDuration | where userDuration > 0
Based on the userDuration values you can accordingly divide by 60, 3600 etc. to get the userDuration in the format you like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if your user, event type and timestamp fields are called "user", "event type" and "timestamp"?
The only reason all values will come in one column is if transaction command is being done on a field which has the same value for all the events in your data, say something like "userType=visitor" where all users are visitors and we did |transaction userType
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
am getting the whole users results in a single column.but i want individual person duration
i need like this
user duration
raju 10 sec
rani 11 sec
like this ...........
thanks
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
