hi Every one i am new to splunk , but here my query goes:
Sample Data and json :
{id: 1 , executor: "executor1" , timestamp:2020-07-16T02:02:02.566}
{id: 1 , executor: "executor2" , timestamp:2020-07-16T02:02:02.570}
now my requirement is to group and list the data by id and also calculate the timestamp difference between executor1 and executor 2 (as they are sequential steps and logging is also done sequentially)
so i did " stats list(executor) as executors , list(timestamp) as logtime by id " .
and the table comes like this:-
id | executors | logtime
1 | executor 1| 2020-07-16T02:02:02.566
| executor 2 |2020-07-16T02:02:02.570
now i want to calculate the difference between the logtime or timestamp of executors and apply it on stats command only . P.s. number of executors can increase dynamically
required result:-
id | executors | logtime | time difference
1 | executor 1| 2020-07-16T02:02:02.566 | 0
| executor 2 |2020-07-16T02:02:02.570| 0.004
P.s. the above is the description of 1 row only with 4 columns
thanks in advance
index=_internal |head 2 | fields _raw _time | streamstats count
| eval _raw=if(count=1,"{id: 1 , executor: \"executor1\" , timestamp:2020-07-16T02:02:02.566}","{id: 1 , executor: \"executor2\" , timestamp:2020-07-16T02:02:02.570}")
| rename COMMENT as "the logic"
| rex max_match=0 "(?<fieldname>\w+):\s?(?<value>\S+)(}| )"
| eval _raw=mvzip(fieldname,value,"=")
| kv
| eval _time=strptime(timestamp,"%FT%T.%3N")
| fields - fieldname value
| delta _time as time_diff
| fillnull time_diff
| table id executor timestamp time_diff
| rename executor as "executors" ,timestamp as logtime ,time_diff as "time difference"
Hi @sdk32 ,
This should do the Job:
| streamstats window=2 range(logtime) as time_difference
Hope it works.
BR
Ralph