Getting Data In

Time differece

aquillius
New Member

How to get the total hours rendered if i have fields start_time and end_time

ex. 09:00-18:00 = 9

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

As suggested by @linu1988, you would have to convert your start_time and end_time to epoch for it. Try this.

your base search ..| eval time_diff=floor(strptime(start_time,"%H:%M")-strptime(end_time,"%H:%M")/3600) | ..rest of the search

Also note that you may have to adjust timestamp format for strptime command. Based on your sample values (09:00, 18:00) its "%H:%M". The format should be exactly as in your field value.

0 Karma

linu1988
Champion

Hello,
You need to do some query. if you have the time in epoch format the work is easier or you need to convert them to epoch and then get the time difference.

source=x |eval start=strptime("%m/%d/%Y %H:%M:%S,start_time )|eval end=strptime("%m/%d/%Y %H:%M:%S",end_time)|eval hr=(end-start)/3600|eval hr=floor(hr)

for minutes and second you need to calculate. The difference will not give you the correct result if direct the convert it using strftime().

Thanks

joebensimo
Path Finder

In your example, are the 09:00 and 18:00 elapsed time or time of day?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...