Splunk Search

## calculate time between every events

Communicator

Hello splunkers!

I need your help. I analyze transport accessibility between two groups of city district. First know as Departure Area (DA), second know as Arrival Area (AA). Users move from of DA to AA. Each area is divided into multiple districts. For each user in each district defined time of arrival to the district and time of departure from the district.
I need to calculate the time for each user between his time of departure from each district from DA the time of arrival into each district from AA. For example:

``````user_id   time_arrival  time_departure   district   AA or DA
user1     1391400000    1391410800       12         DA
user2     1391400000    1391418000       15         DA
user3     1391418000    1391436000       42         DA
user2     1391418500    1391428000       14         DA
user3     1391446800    1391486400       18         AA
user3     1391487000    1391489300       19         AA
user1     1391745600    1391774400       18         AA
user2     1391832000    1391835600       41         AA
``````

I need calculate time:
- for user1 between district 18 (AA) and district 12 (DA)
- for user2 between district 41 (AA) and district 14 (DA) and between district 41 (DA) and district 15 (DA)
- for user3 between district 19 (AA) and district 42(DA) and between district 18 (AA) and district 42 (DA)

How can I do this? I would be very grateful for the help!

Best regards,
Roman

Tags (2)
1 Solution
SplunkTrust

Ordinarily this sort of thing is a job for the streamstats command.

However I'm not quite sure I understand the interaction of DA vs AA. It seems almost like they can be ignored. Here's a search that basically ignores the distinction between AA and DA, but gives you transit times for the various rows.

``````<your searchterms> | sort 0 time_arrival | streamstats current=f last(time_arrival) as time_departure last(district) as departed_from by user_id | eval time_travelled=time_arrival - time_departure
``````

The streamstats docs can help you understand how this search is doing what it does.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

SplunkTrust

Ordinarily this sort of thing is a job for the streamstats command.

However I'm not quite sure I understand the interaction of DA vs AA. It seems almost like they can be ignored. Here's a search that basically ignores the distinction between AA and DA, but gives you transit times for the various rows.

``````<your searchterms> | sort 0 time_arrival | streamstats current=f last(time_arrival) as time_departure last(district) as departed_from by user_id | eval time_travelled=time_arrival - time_departure
``````

The streamstats docs can help you understand how this search is doing what it does.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

SplunkTrust

I'm afraid I'm still having trouble. Could you add to your question what the exact results should be for users 1 2 and 3?

Communicator

Hello sideview!

I need to determine transport accessibility for each district of AA from all known district of DA. In other words, not only for last district from DA. It is possible?

Get Updates on the Splunk Community!