I have such events:
Request:
Request "id":"123-abc-456"
Response:
Response "id":"123-abc-456"
With the following query
(index=something "Response") OR (index=something "Request")
|rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| table _time id
I get a table which contains the id and _time field of one event. It looks like this:
_time id
2022-01-01 12:00:00:00 123-abc-456
2022-01-01 12:11:11:11 123-abc-456
Now, I am wondering if it is possible to maybe generate a new table with the difference of _time fields grouped by the id field? Or do I have to change my query upon in order to get a table like this and then compute the difference? But I do not know how to get such a table as below...
Requesttime id Reponsetime
2022-01-01 12:00:00:00 123-abc-456 2022-01-01 12:11:11:11
Thanks a lot in response!
Splunk can only compute the difference between timestamps when they're in epoch (integer) form. Fortunately, _time is already in epoch form (automatically converted to text when displayed).
If Requesttime and Responsetime are in the same event/result then computing the difference is a simple | eval diff=Responsetime - Requesttime.
If the two timestamps are in different events/results then we can use the range() function to get their difference.
index=something "Request"
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| table _time id
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id
```Format the timestamps manually```
| fieldformat Requesttime=strftime(Requesttime, "%Y-%m-%d %H:%M:S")
| fieldformat Responsetime=strftime(Responsetime, "%Y-%m-%d %H:%M:S")
| fieldformat diff=tostring(diff,"duration")