2

I need to find the duration between two events. I went over the solutions on and Stack Overflow, but still can't get the calculation.

Both sentToSave and SaveDoc have the time stamp already formatted, which is why I used the case function. I am able to see the fields populate with their time stamps, but I am not able to get the Duration field to populate the duration - it simply does not populate at all.

Need some help on how to get the Duration - any advice? Here is my search:

(index=souce1 dept=qvc event="sentToSave") OR (index=source dept=save area=saveDoc)
| eval saveDocTime=case(area="saveDoc", TimeStamp), sentToSaveTime=case(event="sentToSave", TimeStamp)
| eval Duration=saveDocTime-sentToSaveTime
| stats values(Duration) as Duration earliest(sentToSaveTime) as sentToSaveTime latest(saveDocTime) as saveDocTime  by emailRequest
| where isNotNull(sentToSaveTime) AND isNotNull(saveDocTime)
warren
  • 32,620
  • 21
  • 85
  • 124
Zara Z.
  • 23
  • 7

2 Answers2

3

Timestamps must be in integer (epoch) form to be compared. Use the strptime function to convert them from strings to integers and then you can subtract them.

As @Anant Naugai said, if you provide some sample events then we can be more specific.

warren
  • 32,620
  • 21
  • 85
  • 124
RichG
  • 9,063
  • 2
  • 18
  • 29
2

The reason Duration is not populating, I suspect without data, is that the saveDocTime and sentToSaveTime fields are from different events. (Your first line implies as much with different indexes).

Since eval works on each result in parallel, Duration as it is currently calculated will always be undefined since you are always trying to perform a calculation with a value that doesn't exist (one or the other depending on which kind of event it's attempting.

Now your stats event pulls the fields together into a single event for each emailRequest. So if you move your eval for calculating Duration to after the stats command you'll have a duration.

Charlie
  • 7,181
  • 1
  • 35
  • 49