Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculating time difference between two fields of the same name in two sourcetypes

asarolkar
Builder
‎01-21-2013 09:27 AM

All,

I have two logs with sourcetype="alphalog" and sourcetype="betalog" with the generic timestamp _time present.

I am joining them on a field called accountId.

What I want to do is to be able to find the difference between the "_time" values if possible ?

How do I find the time difference (epoch time is fine too) between two _time values in two difference log files ?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-21-2013 09:46 AM

Although it might not be the fastest, you can use "transaction".

sourcetype="alphalog" OR sourcetype="betalog" | transaction accountId maxspan=10m| timechart duration by accountId

Transaction calculates the duration in seconds for each transaction.

You can also do a stats and eval:

sourcetype="alphalog" OR sourcetype="betalog" | stats latest(_time) as lt earliest(_time) as et by accountId| eval duration = lt - et| table duration accountID

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-21-2013 09:46 AM

Although it might not be the fastest, you can use "transaction".

sourcetype="alphalog" OR sourcetype="betalog" | transaction accountId maxspan=10m| timechart duration by accountId

Transaction calculates the duration in seconds for each transaction.

You can also do a stats and eval:

sourcetype="alphalog" OR sourcetype="betalog" | stats latest(_time) as lt earliest(_time) as et by accountId| eval duration = lt - et| table duration accountID

Reply
Solved! Jump to solution

kallu
Communicator
‎01-21-2013 11:23 AM

It's all in manuals 🙂

Let's say you have a set of events where the IP address is extracted to either clientip or ipaddress. This example defines a new field called ip, that takes the value of either clientip or ipaddress, depending on which is not NULL (exists in that event):

... | eval ip=coalesce(clientip,ipaddress)

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Reply
Solved! Jump to solution

asarolkar
Builder
‎01-21-2013 10:31 AM

Hi,

I have a stupid question for followup 🙂 !

What if the field was named accountNumber in alphalog and accountId in betalog, how would the searches that you suggested change (obviously a join is involved)

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...