Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval Epoch Duration Time into Human Readable Format

migullmills
Explorer
‎12-19-2019 03:50 PM

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch time, and if I make changes to time using eval strftime, it negates the duration. 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

If I add 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | eval time=strftime(_time,"%x %r") | stats earliest(eval(if(EventCode=4624, time, null()))) as Logon latesteval(eval(if(EventCode=4634, time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

it converts the Logon and Logoff, but the duration field comes up blank. I am assuming its due to duration not being able to compute the modified time format.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2019 08:42 PM

@migullmills

Yes, _time gives numeric values (epoch time ) in Logon and Logoff so you can do mathematical operation. like | eval duration=Logoff-Logon.

| eval time=strftime(_time,"%x %r").

strftime gives you human readable string so mathematical operation will return null here.

So here I suggest you to use first search,

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" 
| stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName 
| eval duration=Logoff-Logon

If you want duration field in human readable format then try by adding below search block.

|eval myduration=tostring(duration,"duration")

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...