Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-04-27 16:00:00 +0000

djk gravatar image

The time difference between 2 events in Splunk can be calculated using the "timechart" command. This command can be used to create a chart that displays the time difference between two events in a selected time range. To calculate the time difference between two events, the "range" function can be used along with the "timechart" command. The syntax for using "timechart" command is:

| timechart span=1d sum(fieldname) as fieldname | eval timediff=range(fieldname)

Here, "span=1d" specifies the time range for the chart (in this case, one day). "fieldname" should be replaced with the name of the field that contains the timestamp for the events. "timediff" is a calculated field that contains the time difference between the events.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact