Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

sandeep2679
New Member
‎10-31-2017 04:15 AM

Hello,

I am trying to calculate difference between
Disconnected_time Duration
Oct 19 10:35:54 1d 0h:00m:05s

Oct 19 10:35:54 3h:29m:09s
I want to get
Connected_time = disconncted_time - Duration

0 Karma
Reply

alemarzu
Motivator
‎11-02-2017 06:16 AM

Hi there @sandeep2679

This is not the most elegant solution but it might work.

base search ...
| rex "\d{2}:\d{2}:\d{2}\s(?<day>\d+)d\s[hms:\d]+"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<hour>\d+)[hms:\d]"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<min>\d+)m:\d+s"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<sec>\d+)s"
| eval 2sec_day=(day*86400)
| eval 2sec_hourmin=(hour*3600) + (min*60) + sec
| table _time 2sec_*
| addtotals fieldname=duration
| eval conn_time=_time-duration
| eval Connected_time=strftime(conn_time,"%b %d %H:%M:%S")

Hope it helps.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2017 06:57 AM

The only way to calculate time differences is by first converting the times into epoch format. I know of no function to convert durations into epochs so it has to be done manually.

... | rex field=Duration "((?<days>\d+)d\s)?(?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" | eval  days=coalesce(days,0),duration=(days*86400)+(hours*3600)+(minutes*60)+seconds | eval Connected_time=strftime(strptime(Disconnected_time,"%b %d %H:%M:%S")-duration, "%b %d %H:%M:%S") | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2017 07:28 AM

@niketnilay's use of dur2sec is much cleaner than my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sandeep2679
New Member
‎11-02-2017 02:48 AM

Thank you

0 Karma
Reply

niketn
Legend
‎10-31-2017 06:36 AM

@sandeep2679, please try the following:

<YourBaseSearch>
|  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
|  convert dur2sec(Duration)
|  eval Connected_time= disconncted_time - Duration

Refer to Splunk Documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert#1._Convert_sendmail_durat...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

sandeep2679
New Member
‎11-02-2017 03:13 AM

Thank you for helping. Duration is converted into seconds but when subtracted from disconnected_time
I get nothing. i.e Connected_time is not created.

0 Karma
Reply

niketn
Legend
‎11-02-2017 07:27 AM

Seems like disconncted_time is String Time and not Epoch. Try the following:

 <YourBaseSearch>
 |  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
 |  convert dur2sec(Duration)
 |  eval disconncted_time=strptime(disconncted_time,"%b %d %H:%M:%S")
 |  eval Connected_time= disconncted_time - Duration
 |  fieldformat disconncted_time=strftime(disconncted_time,"%b %d %H:%M:%S")
 |  fieldformat Connected_time=strftime(Connected_time,"%b %d %H:%M:%S")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...