Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference / duration not showing correct results?

neerajs_81
Builder
‎06-13-2022 05:20 AM

Hi all,   I need to calculate the duration i.e. difference between endtime & starttime and display the same in a user friendly format.  I have looked at different posts on the forum and am using the same logic yet if you see my splunk results below,  the duration column shows numbers like 81, 82 , 96... which doesn't make sense.   Are these difference in secs ? Even if its secs, the math doesn't seem to be correct.    How can I make diff value show in a readable format like  81 seconds, or  00:00:81 ( HH:MM:SS) ?

 

| transaction eventID startswith=starting endswith=end 
| eval starttime = _time | eval endtime=_time+duration
| eval duration = endtime-starttime
| convert ctime(starttime)| convert ctime(endtime) 
| table starttime, endtime, duraton

 

 

 

neerajs_81_0-1655122704866.png

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 07:37 AM

Hi @neerajs_81,

all the time calculations must be done on numbers, so the tostring option is good to display a duration in human readable format, but it isn't good for calculations.

So make calculations before the tostring transformation, as @PickleRick and @ITWhisperer hinted:

if you want a duration greater one hour you have to calculate something like this.

| eval condition=if(duration>3600),"More than 1 hour","Less than 1 hour")

If this or another one answer solves your need, please, accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎06-13-2022 07:17 AM

It does make perfect sense.

14:17:06 + 82 seconds = 14:18:06+22 seconds = 14:18:28

And so on.

I'd also advise to not use eval to convert from this seconds-based duration to string but use fieldformat. This way you retain the possibility to do any manipulation you want but you'll present the time to the user in a readable way.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 05:24 AM

Hi @neerajs_81,

di you explored the use of tostring option?

somthing like this:

| transaction eventID startswith=starting endswith=end 
| eval starttime = _time | eval endtime=_time+duration
| eval duration = tostring(endtime-starttime,"duration")
| convert ctime(starttime)| convert ctime(endtime) 
| table starttime, endtime, duraton

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎06-13-2022 07:02 AM

You are the man !!!.  Thank you.
One more related question,  now that we have the duration calculated, how do i enable a condition to check if duration > N hours or N mins ?   Basically i need to filter for events where duration is past 1 hour say.  Will the below where clause work ? Doesn't appear to be  working

| where duration > 00:60:00   OR | where duration > 60

neerajs_81_0-1655128894949.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2022 07:37 AM

Hi @neerajs_81,

all the time calculations must be done on numbers, so the tostring option is good to display a duration in human readable format, but it isn't good for calculations.

So make calculations before the tostring transformation, as @PickleRick and @ITWhisperer hinted:

if you want a duration greater one hour you have to calculate something like this.

| eval condition=if(duration>3600),"More than 1 hour","Less than 1 hour")

If this or another one answer solves your need, please, accept it for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-13-2022 07:13 AM

Have your where command before the tostring() function remembering that the value will be in seconds, so use 3600 for 1 hour.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...