- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to search duration using two timestamps?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search duration using two timestamps?
Hi,
We need to find duration between timestamps and the format looks like below.
max_time=1461593558.000
min _time=1461593258.000
Used the search below to convert this to a proper time frame.
index=datapower |stats avg(Time) as Average,Count
| eval Average=round(Average,2) |where Average>50
| addinfo
| eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
| eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S")
Tried finding difference like this by adding this to the end of the search:
| eval diff= tostring(SearchendTime - SearchstartTime,"duration")
but it is not retrieving any results.
Can you please help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please confirm that
index=datapower |stats avg(Time) as Average,Count
returns events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use info_min_time and info_max_time (which are in epoch format) to calculate duration.
index=datapower |stats avg(Time) as Average,Count
| eval Average=round(Average,2) |where Average>50
| addinfo | duration=(info_max_time-info_min_time,"duration")
| eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
|eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search to find VPN connection durations, which I built a long time ago and probably with the help of answers.splunk.com. But here are the relevant parts if you can pick it apart for your usecase:
| convert dur2sec(duration) |bucket _time span=1d | stats sum(duration) as sumdur by _time src_ip |eval "Time Connected"=tostring(sumdur, "duration") |fields - sumdur |rename _time as Date | convert timeformat=%m/%d/%Y ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dave, used tostring with eval, but this is not returning any results .There might be some issue with strftime .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, sorry it's not working for you... I stripped it down more and the eval does work for me (obviously). Not sure why.
| convert dur2sec(duration) | stats sum(duration) as sumdur |eval "Time Connected"=tostring(sumdur, "duration")
duration is a field in my data. ignoring the bucket of one day tied to the _time (parses the search by date)...I just ran my new search for 24h which is the same thing (and much quicker). The above results in:
sumdur Time Connected
106846 1+05:40:46
Yeah...I live on VPN...
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
