{"id":70683,"date":"2023-02-15T13:32:46","date_gmt":"2023-02-15T13:32:46","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=70683"},"modified":"2023-02-15T13:32:46","modified_gmt":"2023-02-15T13:32:46","slug":"answer-by-warren-for-how-to-find-time-duration-between-two-splunk-events-which-has-unique-key","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=70683","title":{"rendered":"Answer by warren for How to find time duration between two splunk events which has unique key"},"content":{"rendered":"<p>Try doing it with <code>stats<\/code> instead:<\/p>\n<pre><code>index=ndx sourcetype=srctp \n| rex field=_raw &quot;req\\-id\\S+(?&lt;req_id&gt;\\d+)&quot;\n| rex field=_raw &quot;com.a.b.App \\- (?&lt;sequence&gt;Making a GET Request)&quot;\n| rex field=_raw &quot;com.a.b.App \\- (?&lt;sequence&gt;Output Status Code)&quot;\n| eval sequence=sequence+&quot;;&quot;+_time\n| stats values(sequence) as sequence by req_id\n| mvexpand sequence\n| rex field=sequence &quot;(?&lt;sequence&gt;[^;]+);(?&lt;time&gt;\\d+)&quot;\n| eval time=strftime(time,&quot;%c&quot;)\n<\/code><\/pre>\n<p>This will extract the &quot;req-id&quot; into a field named <code>req_id<\/code>, and the start and end of the sequence into a field named <code>sequence<\/code><\/p>\n<p>Presuming the sample data you shared is correct, when you <code>stats values(sequence) as sequence<\/code>, it will put the &quot;Making&#8230;&quot; entry first and the &quot;Output&#8230;&quot; entry second<\/p>\n<p>Because <code>values()<\/code> will do this, when you <code>mvexpand<\/code> and then split the <code>values()<\/code>&#8216;d field part into <code>sequence<\/code> and <code>time<\/code>, they&#8217;ll be in the proper order<\/p>\n<p>If the sample data is incomplete, you may need to tweak the regexes for populating <code>sequence<\/code><\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/75459984\/how-to-find-time-duration-between-two-splunk-events-which-has-unique-key\/75460511#75460511<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Try doing it with stats instead: index=ndx sourcetype=srctp | rex field=_raw &quot;req\\-id\\S+(?&lt;req_id&gt;\\d+)&quot; | rex field=_raw &quot;com.a.b.App \\- (?&lt;sequence&gt;Making a GET Request)&quot; | rex field=_raw &quot;com.a.b.App \\- (?&lt;sequence&gt;Output Status Code)&quot; | eval sequence=sequence+&quot;;&quot;+_time | stats values(sequence) as sequence by req_id | mvexpand sequence | rex field=sequence &quot;(?&lt;sequence&gt;[^;]+);(?&lt;time&gt;\\d+)&quot; | eval time=strftime(time,&quot;%c&quot;) This will extract the &quot;req-id&quot; into &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=70683\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for How to find time duration between two splunk events which has unique key<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-70683","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/70683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=70683"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/70683\/revisions"}],"predecessor-version":[{"id":70684,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/70683\/revisions\/70684"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=70683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=70683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=70683"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=70683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}