Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

calculate time between every events

ryastrebov
Communicator
‎03-06-2014 10:48 PM

Hello splunkers!

I need your help. I analyze transport accessibility between two groups of city district. First know as Departure Area (DA), second know as Arrival Area (AA). Users move from of DA to AA. Each area is divided into multiple districts. For each user in each district defined time of arrival to the district and time of departure from the district.
I need to calculate the time for each user between his time of departure from each district from DA the time of arrival into each district from AA. For example:

user_id   time_arrival  time_departure   district   AA or DA
user1     1391400000    1391410800       12         DA
user2     1391400000    1391418000       15         DA
user3     1391418000    1391436000       42         DA
user2     1391418500    1391428000       14         DA
user3     1391446800    1391486400       18         AA
user3     1391487000    1391489300       19         AA
user1     1391745600    1391774400       18         AA
user2     1391832000    1391835600       41         AA

I need calculate time:
- for user1 between district 18 (AA) and district 12 (DA)
- for user2 between district 41 (AA) and district 14 (DA) and between district 41 (DA) and district 15 (DA)
- for user3 between district 19 (AA) and district 42(DA) and between district 18 (AA) and district 42 (DA)

How can I do this? I would be very grateful for the help!

Best regards,
Roman

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-07-2014 12:18 AM

Ordinarily this sort of thing is a job for the streamstats command.

However I'm not quite sure I understand the interaction of DA vs AA. It seems almost like they can be ignored. Here's a search that basically ignores the distinction between AA and DA, but gives you transit times for the various rows. 

<your searchterms> | sort 0 time_arrival | streamstats current=f last(time_arrival) as time_departure last(district) as departed_from by user_id | eval time_travelled=time_arrival - time_departure

The streamstats docs can help you understand how this search is doing what it does.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-07-2014 12:18 AM

Ordinarily this sort of thing is a job for the streamstats command.

However I'm not quite sure I understand the interaction of DA vs AA. It seems almost like they can be ignored. Here's a search that basically ignores the distinction between AA and DA, but gives you transit times for the various rows. 

<your searchterms> | sort 0 time_arrival | streamstats current=f last(time_arrival) as time_departure last(district) as departed_from by user_id | eval time_travelled=time_arrival - time_departure

The streamstats docs can help you understand how this search is doing what it does.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎03-10-2014 03:01 PM

I'm afraid I'm still having trouble. Could you add to your question what the exact results should be for users 1 2 and 3?

0 Karma
Reply
Solved! Jump to solution

ryastrebov
Communicator
‎03-07-2014 01:10 AM

Hello sideview!

Thank for your help!

I need to determine transport accessibility for each district of AA from all known district of DA. In other words, not only for last district from DA. It is possible?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...