Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

String to Date Time

dhiraj027in
New Member
‎06-22-2016 08:48 PM

I am new to splunk and currently trying to get the date and time difference (Opened vs Resolved) for an incident.
Based on the field type Opened & Resolved are string type and what should I do? I have gone to multiple answers but not able to figure out the solution. Please help.

Below is the example of my selected fields

Assigned to = Arjay Torreliza
Category = Alert
Number = INC0975300
Opened = 5/31/2016 22:43
Resolved = 6/1/2016 9:49
host = prd-p-ttsrqrml973d
source = incident.csv
sourcetype = csv
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-23-2016 10:08 AM

First, you need to convert the string to epoch time using the strptime command & then find the difference.. try this

| eval opened_epoch=strptime(Opened, "%-m/%d/%Y %H:%M) | eval resolved_epoch=strptime(Resolved, "%-m/%d/%Y %-H:%M) | eval duration=tostring(resolved_epoch-opened_epoch, "duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-23-2016 10:08 AM

First, you need to convert the string to epoch time using the strptime command & then find the difference.. try this

| eval opened_epoch=strptime(Opened, "%-m/%d/%Y %H:%M) | eval resolved_epoch=strptime(Resolved, "%-m/%d/%Y %-H:%M) | eval duration=tostring(resolved_epoch-opened_epoch, "duration")
0 Karma
Reply
Solved! Jump to solution

dhiraj027in
New Member
‎06-23-2016 11:00 AM

Great. This works but the duration is not exactly what I am looking for. Is this possible?

Current output (this shows 6 days, 23 hours & 23 seconds)
6+23:23:00.000000

What I am looking for (167 hours and 23 seconds)
167:23:00.000000

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-23-2016 01:00 PM

Add this to the end

| rex field=z "(?<d>\d{0,2})\+?(?<h>\d{2})(?<ms>:\d{2}:\d{2})" | eval d=if(len(d)=0, 0, d) | eval duration=(d*24+h).ms
0 Karma
Reply
Solved! Jump to solution

dhiraj027in
New Member
‎06-23-2016 04:29 PM

I used the above and integrated with my query. I am not getting any output for "duration". Should I change anything here?

index="incidents_stores_wisp" date_year="2016" Category="Alert" | eval opened_epoch=strptime(Opened, "%m/%d/%Y %H:%M") | eval resolved_epoch=strptime(Resolved, "%m/%d/%Y %H:%M") | eval duration=tostring(resolved_epoch-opened_epoch, "duration") | rex field=z "(?\d{0,2})\+?(?\d{2})(?:\d{2}:\d{2})" | eval d=if(len(d)=0, 0, d) | eval duration=(d*24+h).ms | table Number "Assigned to" "Short description" Opened Resolved duration
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...