i have the following log,
Oct 9 20:52:37 130.130.128.122 Oct 9 04:47:22 130.130.128.122 CisACS_03_RADIUSAcc p5powg8x 1 0 User-Name=GSSHTB\17997,NAS-IP-Address=10.10.1.24,NAS-Port=50010,Group-Name=Group 80,Calling-Station-Id=00-11-43-BC-76-19,Acct-Status-Type=Stop,Acct-Input-Octets=5726228,Acct-Output-Octets=92503773,Acct-Session-Id=10.10.1.24 GSSHTB\17997 03/14/93 04:43:21 000000E9,Acct-Session-Time=16839,
from the above log i can find the stop time( 03/14/93 04:43:21), and time (Acct-Session-Time=16839), now I want to caculate the beginning time , how can i get this result?
I assume that Acct-Sesssion-Time is in seconds. Therefore, you can do this
<yoursearchhere>
| eval beginningTime = strptime(stop-time,"%m/%d/%y %H:%M:%S") - Acct-Sesssion-Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
It would be better if your field names did not use "-". Field names should have only letters, numbers and underscores. So you may find that Splunk automatically changes the "-" to "_". Which would make the command:
<yoursearchhere>
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
Thank you very much , i got it.
Hmm. try this:
host="splunk.514"
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| eval beginTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
| table beginTime stop_time Acct_Sesssion_Time
thanks a lot
i did the search following your advice ,but get none result
host="splunk.514" | eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S") | table beginningTime stop_time
result:
beginningTime stop_time
1
2 03/14/93 04:47:15
3 03/14/93 09:50:51
pls. analyse the reason,thank you!