I am trying to use eval to calculate the time between events. Those events have a unique ID.
This is the sarch that I have now:
| eval Test =if(message.information=="some_data",_time,null())
| eval Test2=if(message.information="some_data_2" ,_time,null())
| eval Test3 = Test - Test2
| table _time Test Test2 Test3
I am doing something wrong I guess because I only see values in the _time column, the rest is empty.
![alt text][1]
[1]: /storage/temp/274254-2019-07-31-12-13-42-search-splunk-700-internet-exp.png
↧