Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval Epoch Duration Time into Human Readable Format

migullmills
Explorer
‎12-19-2019 03:50 PM

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch time, and if I make changes to time using eval strftime, it negates the duration. 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

If I add 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | eval time=strftime(_time,"%x %r") | stats earliest(eval(if(EventCode=4624, time, null()))) as Logon latesteval(eval(if(EventCode=4634, time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

it converts the Logon and Logoff, but the duration field comes up blank. I am assuming its due to duration not being able to compute the modified time format.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2019 08:42 PM

@migullmills

Yes, _time gives numeric values (epoch time ) in Logon and Logoff so you can do mathematical operation. like | eval duration=Logoff-Logon.

| eval time=strftime(_time,"%x %r").

strftime gives you human readable string so mathematical operation will return null here.

So here I suggest you to use first search,

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" 
| stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName 
| eval duration=Logoff-Logon

If you want duration field in human readable format then try by adding below search block.

|eval myduration=tostring(duration,"duration")

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...