Splunk: How to compute the difference of timestamps by id?

Question

I have such events:

Request:

 Request "id":"123-abc-456"

Response:

 Response "id":"123-abc-456"

With the following query

(index=something "Response") OR (index=something "Request") 
|rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" 
| table _time id

I get a table which contains the id and _time field of one event. It looks like this:

_time id
2022-01-01 12:00:00:00 123-abc-456
2022-01-01 12:11:11:11 123-abc-456

Now, I am wondering if it is possible to maybe generate a new table with the difference of _time fields grouped by the id field? Or do I have to change my query upon in order to get a table like this and then compute the difference? But I do not know how to get such a table as below...

Requesttime id Reponsetime
2022-01-01 12:00:00:00 123-abc-456 2022-01-01 12:11:11:11

Thanks a lot in response!

Answer 1

Splunk can only compute the difference between timestamps when they're in epoch (integer) form. Fortunately, _time is already in epoch form (automatically converted to text when displayed).

If Requesttime and Responsetime are in the same event/result then computing the difference is a simple | eval diff=Responsetime - Requesttime.

If the two timestamps are in different events/results then we can use the range() function to get their difference.

index=something "Request"
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)" 
| table _time id
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id
```Format the timestamps manually```
| fieldformat Requesttime=strftime(Requesttime, "%Y-%m-%d %H:%M:S")
| fieldformat Responsetime=strftime(Responsetime, "%Y-%m-%d %H:%M:S")
| fieldformat diff=tostring(diff,"duration")