- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subtracting two timestamps
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers.
I have one issue about subtracting two timestamps.
I have the following fields:
start=20150917 18:28:32.460
end=20150917 18:28:32:500
I tried something like this:
<mysearch> | eval result_field=end-start
but no lucky.
I need the output as result_field=00:00:00.040.
Can you guys help me?
Thank you!
Best regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration")
Updated per new req
<Your search > | eval result_field=strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N") | stats avg(result_field) as result_field | eval result_field=tostring(result_field,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It still not working for . i have this sample log entry where boot-time for each machine in ENV are reported
I have 2016-05,ENV,R1,W,05/25/16 21:00:00.000,05/26/16 02:00:00.000,05/25/16 23:09:00.000,05/26/16 05:12:00.000,183
Where my "Scheduled End Time" : 05/26/16 02:00:00.000
"Actual End Time" : 05/26/18 05:12:00.000
I wanted the difference in minutes between Actual End Time and Scheduled End time. (192 minutes)
I have tried this approach
{search}|eval ac_end='Actual End Time'|convert mktime(ac_end) as ac_time timeformat="%Y-%m-%d %H:%M:%S"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
What you're looking for is a tostring conversion.
Simply use the following:
<mysearch> | eval result_field=end-start | eval result_field = tostring(result_field,"duration")
Or simply:
<mysearch> | eval result_field = tostring(end-start,"duration")
Let me know how that works out for you!
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration")
Updated per new req
<Your search > | eval result_field=strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N") | stats avg(result_field) as result_field | eval result_field=tostring(result_field,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Somesoni2,
this appears to work!
How can I get an average from result_field?
I tried to do
<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration") | avg(result_field) as Average
but no success.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The above query generates a string field with the format you requested, so can't get the avg. Try the updated query.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
