Splunk: How to get specific timestamps if there are multiple in one event and change format and timeszones to compute timediff within one event?

splunk

I have such events:

something
<operation>abc</operation>
<timeSent>2022-01-22T02:55:58.002Z</timeSent>
<operation>def</operation>
<timeSent>2022-01-21T13:09:18.333Z</timeSent>

What I now want to get is the timestamp of every event and the last timestamp (i. e. the maximum timestamp of the timeSent-timestamps).

I tried this:

rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<" 
| stats max(_time) as Responsetime, min(timeSent) as Requesttime

But this only gives me the maximum timestamp of all of the observed timestamps and the minimum of all timeSent-timestamps. Moreover, I have the problem that I have on the one hand a different format for the timestamps and also different timezones. How could I solve this in order to compute the difference of Responsetime and Requesttime?


Solution 1:

Timestamps have to be converted into epoch (integer) form before they can be compared. Do that with the strptime() function.

rex field=_raw "timeSent>(?<timeSent>[T:0-9-.]+)Z<" 
| eval timeSent = strptime(timeSent, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| stats max(_time) as Responsetime, min(timeSent) as Requesttime

Related

How to extract all contents inside a div from HTML string in JavaScript
Android fragment in isolation
Dropbox gone from indicator area after upgrade to 11.04
How to make cursor change from thin line to block based on normal or insert mode in Console Vim on Gnome Terminal
How to record internet radio?
Ubuntu One for other Linux Distributions?
How can I determine X resolution from CLI without randr?
Fsck gets mad when the file system is mounted
Is my encrypted home folder open to other users when I am logged in?
How to find out how many people have downloaded from PPAs [duplicate]
How to use gedit-latex-plugin?
How to convert ALAC to FLAC?