Dashboards & Visualizations

in a Splunk Dashboard, how do you calculate the time difference between now and start time ?

jagadeeshvenkat
Explorer

Hi all,

I have a Splunk dashboard in which I have to divide my total by seconds (Please refer below 3600). Instead of hard coding, I have to do a divide by difference between start time and now .

| eval TPS=Round((Total/**3600**),2) 

I.e., if I select and search for time range between 03/05/2019 04:00:00 AM to 03/05/2019 06:00:00 AM , it should return a value which i can substitute using a variable in the below eval function.

| eval TPS=Round((Total/**some_variable**),2) 

Any help is much appreciated .!!!!

thanks in advance.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2) 
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2) 
Happy Splunking!
0 Karma

jagadeeshvenkat
Explorer

That's awesome.. it worked .. My long time change in my prod dashboard is done because of you.
Thanks for that @renjith.nair . it means a lot.! 🙂

nainanayana
New Member

index="*" |eval check_in=check_in |eval check_out=check_out |eval it = strptime(check_in, "%H:%M:%S")
| eval ot = strptime(check_out, "%H:%M:%S") | eval diff=ot-it |eval diff1 = tostring(diff, "duration")
i was trying to get duration between checkin and check out but i am getting only 1 person duration please check and let me know soon

0 Karma

jagadeeshvenkat
Explorer

thanks @renjith.nair . if i use
| eval TPS=Round((Total/(now() - $field1.earliest$)),2)
, i getting an error like "error in 'eval' command. the expression is malperformed Expected )".

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

okie, thats because you might be using relative time (-1d,-1m etc).

Try this then

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
| eval TPS=Round((Total/(now() - starttime)),2) 
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...