Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Tabled _time - Find differences between each event

ben_leung
Builder
‎09-11-2014 12:38 PM

I have a tabled results of _time. Each one is an event and I want to find a difference for each event and have the value in another field.

index= sourcetype= | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time | table c_time

c_time
======
2014-09-11 00:56:24:677
2014-09-11 00:56:24:677
2014-09-11 00:56:24:676
2014-09-11 00:56:24:676
2014-09-11 00:56:24:676
2014-09-11 00:41:24:664
2014-09-11 00:41:24:664

I want to be able to get the difference between each event and chart them by the c_time.

What is the best possible way of achieving this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sk314
Builder
‎09-11-2014 12:47 PM

Try using the delta command like so:

index=<index_name> sourcetype=<sourcetype_name>  | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time |delta c_time as time_difference | table c_time time_difference

For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delta

View solution in original post

Reply
Solved! Jump to solution
Solution

sk314
Builder
‎09-11-2014 12:47 PM

Try using the delta command like so:

index=<index_name> sourcetype=<sourcetype_name>  | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time |delta c_time as time_difference | table c_time time_difference

For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delta

Reply
Solved! Jump to solution

sk314
Builder
‎09-11-2014 01:20 PM

Yes. Exactly. I was too lazy to do that in my answer 😄

0 Karma
Reply
Solved! Jump to solution

ben_leung
Builder
‎09-11-2014 01:00 PM

Thank you for the quick response, looks like I need to do more homework on this. All I have to do is convert the time_difference to a format that is human readable for users.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...