Splunk Search

Can you help me in subtracting 2 times together?

louisawang
New Member

I have a time where a ticket is created called:

| eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S") 

If the start time is >=12, it is supposed to be subtracted from 8pm meaning: 20:00:00- start_time to find how much time is there.

So, if the start time is "2019-01-22 16:37:45", the time is 03:22:15.
The reason I want this time is because I have an SLA ticket, which takes 8 hours to be completed. And the business hours is until 8pm. So, if the ticket is raised later than 12pm, it will have to continue the remaining time the next day. That is why i want to find out how much time remained after 8pm.

So for the start time of "2019-01-22 16:37:45", the workers end work at 8pm, leaving 03:22:15 hours remaining to continue the next day 8am.
So the SLA should end on 2019-01-23 11:22:15

This is my code:

| eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S") 
| eval end_time = "20:00:00"
| eval start_time_timing = strftime(start_time_epoch,"%H:%M:%S") 
| eval remainder = case(SEVERITY = "Sev 2" AND date_hour >=12,(TARGET-(end_time-start_time_timing)) * 3600) 
| eval SLA_DEADLINE = if(SEVERITY = "Sev 2" AND date_hour >=12,relative_time(SLA_DEADLINE,"+1d@d+8h") + remainder, SLA_DEADLINE) 

I used start_time_timing to get the Hours, Minutes and Seconds.

SEVERITY 2 means the targeted hours is 8 hours.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

As you've discovered, you can't subtract strings. Math on timestamps must be done using epochs. Try this query:

... | eval end_time=relative_time(start_time_epoch, "@d")+(20*3600) `comment ("Set end time to 0:00 + 20 hours =>8pm")`
| eval remainder=case(SEVERITY = "Sev 2" AND date_hour >=12,(TARGET-(end_time-start_time_epoch)))
| eval SLA_DEADLINE = if(SEVERITY = "Sev 2" AND date_hour >=12,relative_time(SLA_DEADLINE,"+1d@d+8h") + remainder, SLA_DEADLINE)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

As you've discovered, you can't subtract strings. Math on timestamps must be done using epochs. Try this query:

... | eval end_time=relative_time(start_time_epoch, "@d")+(20*3600) `comment ("Set end time to 0:00 + 20 hours =>8pm")`
| eval remainder=case(SEVERITY = "Sev 2" AND date_hour >=12,(TARGET-(end_time-start_time_epoch)))
| eval SLA_DEADLINE = if(SEVERITY = "Sev 2" AND date_hour >=12,relative_time(SLA_DEADLINE,"+1d@d+8h") + remainder, SLA_DEADLINE)
---
If this reply helps you, Karma would be appreciated.
0 Karma

louisawang
New Member

it worked, thank you! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...