Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparing an incidents event timestamp to Splunk landing timestamp

auzark
Communicator
‎04-23-2024 03:41 AM

I would like some help creating a report that will show the seconds diff between my event timestamp and the Splunk landing timestamp.

I have the below query which will give me the diff between _indextime  and  _time  but I would also like the seconds difference between GenerationTime (ie...2024-04-23 12:49:52)    and _indextime.

index=splunk_index  sourcetype=splunk_sourcetype
| eval tnow = now() | convert ctime(tnow)
| convert ctime(_indextime) as Index_Time
| eval secondsDifference=_indextime-_time
| table Node EventNumber GenerationTime Index_Time, _time, secondsDifference 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2024 05:04 AM

Convert GenerationTime into epoch format, then take the difference between the result and _indextime.

index=splunk_index  sourcetype=splunk_sourcetype
| eval tnow = now() | convert ctime(tnow)
| convert ctime(_indextime) as Index_Time
| eval secondsDifference=_indextime-_time
| eval genEpoch = strptime(GenerationTime, "%Y-%m-%d %H:%M:%S")
| eval genSecondsDifference = _indextime - genEpoch
| table Node EventNumber GenerationTime Index_Time, _time, secondsDifference, genSecondsDifference
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

auzark
Communicator
‎04-28-2024 11:50 PM

How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days?

0 Karma
Reply
Solved! Jump to solution

auzark
Communicator
‎04-23-2024 07:47 PM

Thanks, Tejas and Rich...   Very much appreciated.

Reply
Solved! Jump to solution

tej57
Communicator
‎04-23-2024 05:15 AM

Hello @auzark ,

You can assign a particular field to _indextime and then use that to find the difference. The only catch here would be that _indextime would be in epoch time and hence, you'll have to convert the GenerationTime into epoch format before calculating the difference. Your query should look something like below:

index=splunk_index  sourcetype=splunk_sourcetype
| eval tnow = now() 
| eval indexTime = _indextime
| eval GenerationTime_epoch=strptime(GenerationTime,"%Y-%m-%d %H"%M:%S")
| convert ctime(tnow)
| convert ctime(_indextime) as Index_Time
| eval secondsDifference=indexTime-_time
| eval GenTimeDifferenceInSeconds = GenerationTime_epoch-indexTime
| table Node EventNumber GenerationTime Index_Time, _time, secondsDifference,GenTimeDifferenceInSeconds

 

Thanks,
Tejas.

---
If the above solution helps, an upvote is appreciated!!

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-23-2024 05:04 AM

Convert GenerationTime into epoch format, then take the difference between the result and _indextime.

index=splunk_index  sourcetype=splunk_sourcetype
| eval tnow = now() | convert ctime(tnow)
| convert ctime(_indextime) as Index_Time
| eval secondsDifference=_indextime-_time
| eval genEpoch = strptime(GenerationTime, "%Y-%m-%d %H:%M:%S")
| eval genSecondsDifference = _indextime - genEpoch
| table Node EventNumber GenerationTime Index_Time, _time, secondsDifference, genSecondsDifference
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

auzark
Communicator
‎04-28-2024 11:44 PM

Hi Rich,

How would I incorporate an average of genSecondsDifference over a 24 hour period? for 7 days?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...