Thank you so much. I was able to use bits and pieces of your recommendation to make this search.
sourcetype="XYZ" event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,"-")
| mvexpand timeremainder
| table timeremainder
The output gives me these 11 events. This is great. I just need the difference in time (displayed here as epoch) between the two sets of numbers on each line.
1573497176218-1573497128423
1573497252033-1573497180136
1573497261518-1573497254009
1573497269017-1573497264028
1573497294907-1573497277368
1573497305420-1573497300005
1573497320716-1573497307228
1573497328259-1573497321342
1573497339106-1573497330161
1573497346430-1573497339834
1573497357228-1573497348029
I then tried to do this
sourcetype=“XYZ” event=TimeMetrics
| spath output=time1 path="metrics.progressMetrics{}.events{}.PROGRESS_START"
| spath output=time2 path="metrics.progressMetrics{}.events{}.PROGRESS_END"
| eval timeremainder = mvzip(time2, time1,".")
| mvexpand timeremainder
| rex field=timeremainder "(?<time2>.*)\.(?<time1>.*)"
| eval time1=strftime(time1/1000,"%d-%m-%Y %H:%M:%S")
| eval time2=strftime(time2/1000,"%d-%m-%Y %H:%M:%S")
| eval diff=time2-time1
| table time1,time2,diff
However, the diff does not return the difference in time. Do you have any suggestions?
time1 time2 diff
11-11-2019 12:32:08 11-11-2019 12:32:56
11-11-2019 12:33:00 11-11-2019 12:34:12
11-11-2019 12:34:14 11-11-2019 12:34:21
11-11-2019 12:34:24 11-11-2019 12:34:29
11-11-2019 12:34:37 11-11-2019 12:34:54
11-11-2019 12:35:00 11-11-2019 12:35:05
11-11-2019 12:35:07 11-11-2019 12:35:20
11-11-2019 12:35:21 11-11-2019 12:35:28
11-11-2019 12:35:30 11-11-2019 12:35:39
11-11-2019 12:35:39 11-11-2019 12:35:46
11-11-2019 12:35:48 11-11-2019 12:35:57
Thanks
... View more