Refine your search:

I have an issue with calculating seconds that go over 60 minutes that sums to be a few days.

One of my eval calculations sums to be 496089.166322 seconds and if I use |fieldformat "Total Time"=strftime('Total Time', "%M:%S") I get 48:09 as the sum but should calculate to 5 days, 17 hours, 48 minutes and 9 seconds

I am not sure if I have to use a macro to do the job? LINK

Or missing something obvious?

I have searched through every variation of this and have tried all the common date and time format variables with strftime( converts epoch time to format Y )

Here is my current search string where I have to break down the Days Hours Minutes and Seconds along with a ScreenCapture

Search String:

index="snort" ( 2222222 dest_port="") OR (1111111 src_port="") OR ( 1111111 src_ip="") OR (2222222 dest_ip="") | eval disconnect_time=if(match(_raw,"2222222"),_time,null()) | eval connect_time=if(match(_raw,"1111111"),_time,null()) | eval Ephemeral=if(isnotnull(disconnect_time),dest_port,Ephemeral) | eval Ephemeral=if(isnotnull(connect_time),src_port,Ephemeral) | stats min(connect_time) as Connect max(disconnect_time) as Disconnect min(src_ip) as "Source IP" by Ephemeral | eval Seconds=Disconnect-Connect | fieldformat "Seconds"=strftime('Seconds', "%s") | eval Minutes=Seconds/60 | eval Hours=Minutes/60 | eval Days=Hours/24 | convert timeformat="%a %b-%d %Y "at" %H:%M:%S" ctime(Connect) ctime(Disconnect) | search Connect= Disconnect= | rename Ephemeral as "Connection Port", Total_time as "lala"

asked 12 Feb '13, 10:11

Xe03kfp's gravatar image

Xe03kfp
4515
accept rate: 0%


One Answer:

Hello, I think that you have to use "tostring" on the eval command

| eval "Total Time"=tostring(Seconds,"duration")

The result of that command is 5+17:48:09.166322 where "5+" is the number of days.

I hope this help you :)

link

answered 12 Feb '13, 10:28

jaraneda's gravatar image

jaraneda
613
accept rate: 100%

Yes that worked! To make it pretty..is there a way to take away the miliseconds? Also, how would I sum the "Total Seonds" as a "Total Time" like: | transpose | "Total Time" string --so the total time shows left justified?

(12 Feb '13, 10:39) Xe03kfp

I found addcoltotals gives me a total in seconds for the field I specify, then I will have to convert the seconds.

(12 Feb '13, 11:09) Xe03kfp

Can you get the amount of days on its own?

(27 Nov '13, 01:34) Oisin77
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×479
×21
×2

Asked: 12 Feb '13, 10:11

Seen: 961 times

Last updated: 27 Nov '13, 01:34

Copyright © 2005-2014 Splunk Inc. All rights reserved.