Splunk Search

## calculate duration

Builder

Hi
need to calcualte duration bettween each Out/In where A=A+100 B=B IDS=IDS

00:03:02.067 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:02.110 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

expected output:
duration                          B                            IDS
00:00:00.043      123456     123456789987

Any idea?
Thanks

Labels (5)

• ### table

Tags (5)
1 Solution
SplunkTrust
``````| sort 0 B IDS _time
| streamstats latest(_time) as previous_time latest(A) as previousA window=1 current=f by B IDS
| where A=previousA+100
| stats latest(previous_time) as start latest(_time) as end by B IDS
| eval duration=tostring(end-start,"duration")
| table duration B IDS``````
SplunkTrust

Would this work for you?

``````| stats earliest(_time) as start latest(_time) as end by B IDS
| eval duration=tostring(end-start,"duration")
| table duration B IDS``````
Builder

Thanks for answer, without the "where" I mention doesn't return correct duration.

any idea?

SplunkTrust

Can you share more representative example data to show why it doesn't work?

Builder

I have lot's of line like this so I need to if A,B,IDS matched with each other get latest one and calculate duration

1-step one, where:

A=A+100

B=B

IDS=IDS

2-step two, find latest one

3-calculate duration

00:03:00.010 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:00.020 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

00:03:01.025 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:01.026 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

00:03:02.067 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:02.110 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

output:

duration                          B                            IDS
00:00:00.043      123456     123456789987

SplunkTrust
``````| sort 0 B IDS _time
| streamstats latest(_time) as previous_time window=1 current=f by B IDS
| stats latest(previous_time) as start latest(_time) as end by B IDS
| eval duration=tostring(end-start,"duration")
| table duration B IDS``````
Builder

still return incorrect duration for some of the events that is not A=A+100

e.g:

it find 3 events like this and consider first line as OUT while second line is OUT event of the third line. if condition check "A=1000" must be match to "A+100=1100" it will be fixed.

00:03:00.000 app catZZ_DDP_AP: O[host]A[2000]B[123456]IDS[123456789987]

00:03:02.067 app catZZ_DDP_AP: O[host]A[1000]B[123456]IDS[123456789987]
00:03:02.110 app catZZ_DDP_AP: I[host]A[1100]B[123456]IDS[123456789987]

current output:

duration = 00:00:02.110

expected output:

duration = 00:00:00.043

"A" of each OUT must be match with "A"+100 means 1100

if "A" of OUT is 4000 then "A" of IN shoud be 4100

SplunkTrust
``````| sort 0 B IDS _time
| streamstats latest(_time) as previous_time latest(A) as previousA window=1 current=f by B IDS
| where A=previousA+100
| stats latest(previous_time) as start latest(_time) as end by B IDS
| eval duration=tostring(end-start,"duration")
| table duration B IDS``````
Builder

I think this line need to be replace with "match" instead of "where"

`| where A=previousA+100`

currently put result in A while it shoud check them

if A equal to A+100 they match then calculate duration.

SplunkTrust

Where is keeping events in the pipeline where A in the event is equal to previousA + 100 - it is not an assignment

Builder

you right about "where", it was my fault.

it work now in result page I have filed that call "servername" need to group by servername

current result:

servername             duration                          B                            IDS
server1                      00:00:00.043      123456     123456789987

server1                      00:00:00.033      123456     123456789987

server1                      00:00:00.093      123456     123456789987

server2                      00:00:00.099      123456     123456789987

expected result:

servername             duration                          B                            IDS
server1                      00:00:00.043      123456     123456789987

00:00:00.033      123456     123456789987

00:00:00.093      123456     123456789987

server2                      00:00:00.099      123456     123456789987

any idea?

thanks

SplunkTrust

If you really want servername "removed" or other fields grouped by servername try this:

``| stats list(duration) as duration list(B) as B list(IDS) as IDS by servername``
Did you miss .conf21 Virtual?

### Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Get Updates on the Splunk Community!