Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find differences in time between events with some shared field values in a subsearch

brajaram
Communicator
‎04-09-2018 02:37 PM

We have our logs in JSON structured data. Events contain the following fields Time, ID, Client

I am trying to compare the times between events of different clients that contain the same ID. My query thus far:

index=... Client=A [ search index=... Client=B| table id]

This correctly finds all events with Client=A that occurs in Client=B. However, what I want to do is find the difference of Time between the events of the subsearch and the events of the primary search across ID. (i.e if 10 different IDs have a time of 1, 2, 3 for client A..., and a time of 2, 3, 4... for client B, I want a table that says ID TimeDiff so I can get summary statistics of the difference. I think I need to be using the delta command, but not sure how to set up the data to get that.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-09-2018 03:00 PM

Give this a try (the chart command will create fields with name same as value of field Client, so update the where and eval command accordingly)

index=... Client=A OR Client=B [search index=... Client=B| table ID]
| fields _time ID Client
| chart values(_time) over ID by Client
| where isnotnull('A') AND isnotnull('B')
| eval TimeDiff='B' - 'A'

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-09-2018 03:00 PM

Give this a try (the chart command will create fields with name same as value of field Client, so update the where and eval command accordingly)

index=... Client=A OR Client=B [search index=... Client=B| table ID]
| fields _time ID Client
| chart values(_time) over ID by Client
| where isnotnull('A') AND isnotnull('B')
| eval TimeDiff='B' - 'A'
Reply
Solved! Jump to solution

brajaram
Communicator
‎04-09-2018 10:07 PM

That worked perfectly. I never even knew the chart functionality worked like that, but seeing it produce the output makes a lot more sense, but I never would have been able to figure that out at all. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...