Solved: Tabled _time - Find differences between each event

ben_leung · ‎09-11-2014

I have a tabled results of _time. Each one is an event and I want to find a difference for each event and have the value in another field.

index= sourcetype= | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time | table c_time

c_time
======
2014-09-11 00:56:24:677
2014-09-11 00:56:24:677
2014-09-11 00:56:24:676
2014-09-11 00:56:24:676
2014-09-11 00:56:24:676
2014-09-11 00:41:24:664
2014-09-11 00:41:24:664

I want to be able to get the difference between each event and chart them by the c_time.

What is the best possible way of achieving this?

sk314 · ‎09-11-2014

Try using the delta command like so:

index=<index_name> sourcetype=<sourcetype_name>  | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time |delta c_time as time_difference | table c_time time_difference

For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delta

View solution in original post

sk314 · ‎09-11-2014

Try using the delta command like so:

index=<index_name> sourcetype=<sourcetype_name>  | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS c_time |delta c_time as time_difference | table c_time time_difference

For more information: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Delta

sk314 · ‎09-11-2014

Yes. Exactly. I was too lazy to do that in my answer 😄

ben_leung · ‎09-11-2014

Thank you for the quick response, looks like I need to do more homework on this. All I have to do is convert the time_difference to a format that is human readable for users.

Tabled _time - Find differences between each event

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor