Solved: Eval difference between two fields for each entry

ltrand · ‎08-19-2015

So I'm trying to display what the timespan is from start to finish of a bucket and add it as a new field to the table.

|dbinspect index=main
| eval start_time=strftime(startEpoch,"%y/%m/%dT%H:%M:%S") | eval end_time=strftime(endEpoch,"%y/%m/%dT%H:%M:%S") | eval span=tostring((end_time-start_time), "duration")
| table start_time,end_time,span,modTime,state,sizeOnDiskMB,rawSize,eventCount,sourceCount,sourceTypeCount

The problem is that the eval statement that is supposed to calculate span is not functioning correctly, it is just empty for each line. Any thoughts on how I can fix this?

richgalloway · ‎08-19-2015

Subtract times using epochs rather than strings. Then convert it into a human-readable format, if desired.

... | eval span=endEpoch-startEpoch | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-19-2015

Subtract times using epochs rather than strings. Then convert it into a human-readable format, if desired.

... | eval span=endEpoch-startEpoch | ...

---
If this reply helps you, Karma would be appreciated.

ltrand · ‎08-19-2015

Thanks, that got me there.

|dbinspect index=main | eval span=tostring((endEpoch-startEpoch), "duration") | eval start_time=strftime(startEpoch,"%y/%m/%dT%H:%M:%S") | eval end_time=strftime(endEpoch,"%y/%m/%dT%H:%M:%S") | table start_time,end_time,span,modTime,state,sizeOnDiskMB,rawSize,eventCount,sourceCount,sourceTypeCount,splunk_server,path

Eval difference between two fields for each entry

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk