- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add time values together in search query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add time values together in search query?
Basically just trying to add three time values together by doing this: eval total_time = queue_time + Duration + test_summary.duration, but I am not getting any results. Any help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here you go
| makeresults
| eval current="10:00:00"
| eval c_time=strptime(current,"%H:%M:%S")
| eval duration=30
| eval total = c_time+duration
| convert ctime(total)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. queue_time, Duration and test_summary.duration.
Since dot (.) is used as string concatenation character for eval, you would need to escape the dot character present in the field name using single quotes in eval expression.
<YourBaseSearchWithThreeFields>
| eval total_time = queue_time + Duration + 'test_summary.duration'
Following is a run anywhere example for the same:
| makeresults
| eval queue_time=5, Duration=4, test_summary.duration=7
| table queue_time Duration "test_summary.duration"
| eval total_time = queue_time + Duration + 'test_summary.duration'
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just attempted your solution and it seemed to just perform a string concatenation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?
If run anywhere search is working and | eval total_time = queue_time + Duration + 'test_summary.duration' is not working in your current search please add some sample data for the three fields and also mention the field names as is.
What happens when you print | table queue_time Duration "test_summary.duration". Are the fields showing values correctly?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! https://imgur.com/a/FfM0Q
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cdgill you need to convert the duration to epoch and later change it to human readable format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @cdgill,
Can you please provide sample data for all three fields ?
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
