Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

in a Splunk Dashboard, how do you calculate the time difference between now and start time ?

jagadeeshvenkat
Explorer
‎03-05-2019 04:36 AM

Hi all,

I have a Splunk dashboard in which I have to divide my total by seconds (Please refer below 3600). Instead of hard coding, I have to do a divide by difference between start time and now .

| eval TPS=Round((Total/**3600**),2)

I.e., if I select and search for time range between 03/05/2019 04:00:00 AM to 03/05/2019 06:00:00 AM , it should return a value which i can substitute using a variable in the below eval function.

| eval TPS=Round((Total/**some_variable**),2)

Any help is much appreciated .!!!!

thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-05-2019 04:42 AM

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2)
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-05-2019 04:42 AM

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

jagadeeshvenkat
Explorer
‎03-05-2019 05:36 AM

That's awesome.. it worked .. My long time change in my prod dashboard is done because of you.
Thanks for that @renjith.nair . it means a lot.! 🙂

Reply
Solved! Jump to solution

nainanayana
New Member
‎06-04-2019 03:33 AM

index="*" |eval check_in=check_in |eval check_out=check_out |eval it = strptime(check_in, "%H:%M:%S")
| eval ot = strptime(check_out, "%H:%M:%S") | eval diff=ot-it |eval diff1 = tostring(diff, "duration")
i was trying to get duration between checkin and check out but i am getting only 1 person duration please check and let me know soon

0 Karma
Reply
Solved! Jump to solution

jagadeeshvenkat
Explorer
‎03-05-2019 04:51 AM

thanks @renjith.nair . if i use
| eval TPS=Round((Total/(now() - $field1.earliest$)),2)
, i getting an error like "error in 'eval' command. the expression is malperformed Expected )".

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎03-05-2019 05:07 AM

okie, thats because you might be using relative time (-1d,-1m etc).

Try this then

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
| eval TPS=Round((Total/(now() - starttime)),2)
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...