Re: Find the duration between two events

luna · ‎03-31-2021

Hello,

I need to find the duration between two events. I went over the solutions on Splunk, but still can't get the calculation. Both sentToSave and SaveDoc have the time stamp already formatted that is why I used the case function. I am able to see the fields populate with their time stamps, but I am not able to get the Duration field to populate the duration - it simply does not populate at all. Need some help on how to get the Duration - any advise? Below is my query

(index=souce1 dept=qvc  event="sentToSave"  ) OR (index=source dept=save area=saveDoc)

 

| eval saveDocTime=case(area="saveDoc", TimeStamp),

sentToSaveTime=case(event="sentToSave", TimeStamp)

| eval Duration=saveDocTime-sentToSaveTime

| stats values(Duration) as Duration earliest(sentToSaveTime) as sentToSaveTime latest(saveDocTime) as saveDocTime  by emailRequest

| where isNotNull(sentToSaveTime) AND isNotNull(saveDocTime)

luna · ‎04-02-2021

I also needed to have turned the times I was subtracting to epoch. I used strptime to subtract the times then I was able to get duration.

scelikok · ‎03-31-2021

Hi @luna,

Since saveDocTime and sentToSaveTime fields are not in the same event, Duration cannot be calculated. Please try below;

(index=souce1 dept=qvc event="sentToSave" ) OR (index=source dept=save area=saveDoc) 
| eval saveDocTime=case(area="saveDoc", TimeStamp), sentToSaveTime=case(event="sentToSave", TimeStamp) 
| stats earliest(sentToSaveTime) as sentToSaveTime latest(saveDocTime) as saveDocTime by emailRequest 
| eval Duration=saveDocTime-sentToSaveTime 
| where isNotNull(sentToSaveTime) AND isNotNull(saveDocTime)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Find the duration between two events

eval

stats

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!