Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- time difference between event A and next earliest ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
time difference between event A and next earliest occurrence of event B in timechart? (both extracted fields)
Hi all,
Just to let you know i'm very new to splunk and I'm looking for some help on the best approach to solve a problem.
Problem
There is a log which has two separate lines that state the start (A) and end (B) time of a process. The process occurs twice a day - once around 5:45am (+/- 30 mins) and once around 10:45PM (+/- 30 mins). The timing difference between A and B can be assumed to be no more than 1 hour apart.
I would like to how can I calculate the time difference between A and the next earliest occurrence of B? Thus giving me the execution time which could be put into a timechart.
The log file looks something like this:
-Random lines in log
-A
-Random lines in log
-B
-Random lines in log
-A (Run at 1PM and to be disregarded)
-Random lines in log
-B (Run at 1PM and to be disregarded)
-Random lines in log
-A
-Random lines in log
-B
I have found localize and map may be of use but would like to affirm is this the right approach or is there something better?
Another fact that is important is that this process also runs a third time every day at 1PM but I do Not want this timecharted. I feel this could be ignored by **date_time != 12** for each event.
Both A and B are also extracted fields.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this:
index=YouShoulAlwaysSpecifyAnIndexValue sourctype=AndSourcetypeToo A=* OR B=*
| fields _time host A B
| streamstats count(B) AS sessionID BY host
| selfjoin sessionID host overwrite=f
| eval _time = B
| eval executionTime = B - A
| timechart avg(executionTime) BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thank you for your suggestion,
could you please help me understand how that solution works?
Also I seem to be getting an error for the line "eval _time = B" .. not sure why but the Times for all events of B appeas as.. NaN/NaN/0NaN
NaN:NaN:NaN.000 after that line and _time becomes the actual value of B
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was afraid of that. You will need to figure out the time format of your A and B fields and use strftime like this:
index=YouShoulAlwaysSpecifyAnIndexValue sourctype=AndSourcetypeToo A=* OR B=*
| fields _time host A B
| streamstats count(B) AS sessionID BY host
| selfjoin sessionID host overwrite=f
| eval A = strftime(A, "%Your%Time%Format%Here")
| eval B = strftime(B, "%Your%Time%Format%Here")
| eval _time = B
| eval executionTime = B - A
| timechart avg(executionTime) BY host
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
