Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you calculate time difference between multiple events that aren't in chronological order?

puneetkharband1
Path Finder
‎10-18-2018 11:24 AM

I have 6 events. Each one has a timestamp, and I have extracted the time of each into a new field using eval. But now, I am not able to create timedifference between event6-event1 or event4-event3 as per my needs.

I do not want to use the transaction command as I need to write multiple searches, and I am trying to solve this in search.

I am at a point where my last seach line is 

| table Fourm_step_1_Time Fourm_step_2_Time Fourm_step_3_Time Fourm_step_4_Time Fourm_step_5_Time Fourm_step_6_Time

results are
0 0
0 0
0 0
0 0
0 123435453
1234545433 0
so on
@somesoni2

0 Karma
Reply

ehollima
Path Finder
‎10-18-2018 04:49 PM

When I am looking for time skews I use the following (credit to Hunter for the SPL)

index= earliest=-1m latest=+24h
| stats latest(_time) AS time by host
| eval now=now()
| eval offset=time-now
| eval time1=strftime(time,"%F - %T")
| eval now1=strftime(now,"%F - %T %Z")
| eval offset1=tostring(offset,"duration")
| convert ctime(time), ctime(now)
| table host offset offset1 time now now1 time1

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...