Splunk Search

How can I do sum of a time field?

tamduong16
Contributor

Hi I'm new to Splunk and currently trying to understand how the search function work. How could I get Splunk to display the sum of call duration in total from all of my events? Thanks!

alt text

Tags (1)
0 Karma

tamduong16
Contributor

I were able to figure out how to get the answer here:

....| convert num("Call Duration") | stats sum("Call Duration") as "TotalCD" | eval "TotalCD"=tostring($TotalCD$,"duration")

sjbriggs
Path Finder

This worked fine for me to get to seconds, then I just did /60/60 to get to hours which is what I wanted to sum up.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

This 

eval durations = tostring(durAsSec, "duration")

gives to you also days, hours and minutes. Just select those from that string.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

You'd better verify against a couple of events that you are getting the correct result. If the "Call Duration" field was already in duration, then that would work.

0 Karma

sbbadri
Motivator

your base search | eval tp = "Call Duration" | rename "Max Latency Rx" as lrx, "Call Rate" as cr | convert dur2sec(tp) as tp | stats sum(tp) as tp by lrx cr | eval tp= if(tp>86400,floor(tp/86400)." Days ".round((tp/86400)/3600,2)." Hours" ,strftime(tp,"%H:%M:%S")) | rename lrx as "Max Latency Rx", cr as "Call Rate" | table "Call Duration", "Max Latency Rx", "Call Rate" , tp

DalJeanis
SplunkTrust
SplunkTrust

Yeah, those renames help the code be less ugly a lot, don't they?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Lots of ways, depending on what you want.

If you just want to know the sum of all those, and don't need the details, then...

| stats sum("Call Duration") as "Call Duration"

If you want to keep the details and just add a totals line at the bottom for only the Call Duration field...

| addtotals row=f col=t "Call Duration"

If you want to append an additional totals line after all the prior lines with the total call duration, the maximum max latency, and the average call rate

| appendpipe [| stats sum("Call Duration") as "Call Duration" max("Max Latency Rx") as "Max Latency Rx" avg("Call Rate") as "Call Rate"]

All of those depend on the assumption that the duration is a value in seconds, that has just been told to format itself as you have shown. If it is actually a character value, then you are going to have to strptime it first in order to be able to do the calculations.

| eval "Call Duration"= strptime("Call Duration","%H:%M:%S")
... one of the above things ...
| eval "Call Duration"= if("Call Duration">86400,floor("Call Duration"/86400)." Days ".round(("Call Duration"/86400)/3600,2)." Hours" ,strftime("Call Duration","%H:%M:%S"))

tamduong16
Contributor

For some reason, the first stats command didn't show up anything.
The eval "Call Duration"= strptime("Call Duration","%H:%M:%S") give me nothing under Call Duration. It doesn't have a zero or anything display.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

hmmm. You have a single-digit hour there.

| eval "Call Duration"= if(len("Call Duration")=7,"0","")."Call Duration" 
| eval "Call Duration"= strptime("Call Duration","%H:%M:%S")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...