Solved: How to convert results of Eval Function

matthew_ramsey · ‎08-21-2017

Hello, Looking for some help with my search.
The convert works fine for Last and First Occurrence but not sure why not for the two eval commands? The two eval commands bring me back seconds I think? example 17778.566205 or is that EPOC? I need to convert them to days/hours/mins and I've tried several things but not having any luck.

index=ABC MessageText="Kickout"

|stats max(_time) as LastOccurence min(_time) as FirstOccurence by MessageText
|eval "Duration Between Events"=LastOccurance-FirstOccurence
|eval "Time Since Last Event"=(now()-LastOccurence)

|convert timeformat="%m/%d/%Y %H:%M:%S" ctime("FirstOccurence")
|convert timeformat="%m/%d/%Y %H:%M:%S" ctime("LastOccurence")
|table FirstOccurence, LastOccurence, "Duration Between Events", "Time Since Last Event"

cmerriman · ‎08-21-2017

from the looks of it, "Duration Between Events" and "Time Since Last Event" should be in seconds because you'd be subtracting two epoch values. if you want them in days:hours:mins, try this:

|eval "Duration Between Events"=tostring(LastOccurance-FirstOccurence,"duration")
|eval "Time Since Last Event"=tostring((now()-LastOccurence),"duration")

http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/ConversionFunctions#tostring.28X.2...

View solution in original post

cmerriman · ‎08-21-2017

from the looks of it, "Duration Between Events" and "Time Since Last Event" should be in seconds because you'd be subtracting two epoch values. if you want them in days:hours:mins, try this:

|eval "Duration Between Events"=tostring(LastOccurance-FirstOccurence,"duration")
|eval "Time Since Last Event"=tostring((now()-LastOccurence),"duration")

http://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/ConversionFunctions#tostring.28X.2...

How to convert results of Eval Function

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!