I have data like below. How do I calculate the time difference between A.1-B. 1, A.2-B.2......A.n-B.n
Time Offset Word1
978 Start -------> A.1
1152 Start -------> A.2
1358 Start -------> A.3
1375 Controller -------> B.1
1569 Start -------> A.4
1577 Controller -------> B.2
1771 Controller -------> B.3
1965 Start -------> A.5
2095 Controller -------> B.4
2167 Start -------> A.6
2348 Start -------> A.7
... | eval timea1=if(match(_raw,".*A\.1.*"),_time,null())
| eval timeb1=if(match(_raw,".*B\.1.*"),_time,null())
| eval Tab1=timea1-timeb1
| table timea1 timeb2 Tab1
Something like that, but we need more details such as what your field names are, etc to make it a more appropriate answer.
Thanks for your answer. May be I didn't explain so clearly, A.1, A.2, B.1 are not in the event. The real data is just like
978 Start
1152 Start
1358 Start
1375 Controller
1569 Start
1577 Controller
1771 Controller
1965 Start
2095 Controller
2167 Start
2348 Start
Is there any way which could calculate the difference between first start and controller, and the subsequence?
Is this data already in Splunk? Have all the fields been extracted? What is the name of the field that has A.1, A.2 etc?
Yes, these data are already in Splunk. A.1, A.2 ,etc are not in the data field, the data is just like "978 Start ".
Thanks