https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564023#M100459 <P>Hi,</P><P>&nbsp;</P><P>i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me.<BR /><BR />Query --<BR /><BR />index=victorops sourcetype="splunk:victorops:incidents:json" "PTS"<BR />| dedup incidentNumber<BR />| eval startTimeFormatted=strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") -18000<BR />| eval SplunkStartTime=strftime(startTimeFormatted,"%m/%d/%y %H:%M:%S")</P><P><BR />| eval endTimeFormatted=strptime(lastAlertTime,"%Y-%m-%dT%H:%M:%SZ") -18000<BR />| eval SplunkEndTime=strftime(endTimeFormatted,"%m/%d/%y %H:%M:%S")</P><P><BR />| eval MTTR = round((SplunkEndTime-SplunkStartTime)/86400)<BR />| table incidentNumber, SplunkStartTime,&nbsp;routingKey, entityDisplayName,&nbsp;SplunkEndTime, currentPhase, MTTR<BR /><BR /><BR />Above query&nbsp; showing "NULL" output to "MTTR" field.</P><P>&nbsp;</P><P>Please advise !</P> Fri, 20 Aug 2021 05:14:18 GMT Manasi25 2021-08-20T05:14:18Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564023#M100459 <P>Hi,</P><P>&nbsp;</P><P>i have my query below, i used query from "Solved" questions on community, however its showing NULL result for me.<BR /><BR />Query --<BR /><BR />index=victorops sourcetype="splunk:victorops:incidents:json" "PTS"<BR />| dedup incidentNumber<BR />| eval startTimeFormatted=strptime(startTime,"%Y-%m-%dT%H:%M:%SZ") -18000<BR />| eval SplunkStartTime=strftime(startTimeFormatted,"%m/%d/%y %H:%M:%S")</P><P><BR />| eval endTimeFormatted=strptime(lastAlertTime,"%Y-%m-%dT%H:%M:%SZ") -18000<BR />| eval SplunkEndTime=strftime(endTimeFormatted,"%m/%d/%y %H:%M:%S")</P><P><BR />| eval MTTR = round((SplunkEndTime-SplunkStartTime)/86400)<BR />| table incidentNumber, SplunkStartTime,&nbsp;routingKey, entityDisplayName,&nbsp;SplunkEndTime, currentPhase, MTTR<BR /><BR /><BR />Above query&nbsp; showing "NULL" output to "MTTR" field.</P><P>&nbsp;</P><P>Please advise !</P> Fri, 20 Aug 2021 05:14:18 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564023#M100459 Manasi25 2021-08-20T05:14:18Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564034#M100460 <P>Hi</P><P>you cannot calculate with string fields. You must use those with numeric values. In your case those are&nbsp;<SPAN>startTimeFormatted and&nbsp;endTimeFormatted.</SPAN></P><P><SPAN>If you would like to see MTTR as human&nbsp;readable convert it with&nbsp;</SPAN></P><LI-CODE lang="markup">eval MTTR = tostring(MTTR, "duration")</LI-CODE><P>after calculation.</P><P>r. Ismo&nbsp;</P> Fri, 20 Aug 2021 06:56:40 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564034#M100460 isoutamo 2021-08-20T06:56:40Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564173#M100478 <P>Hello</P><P>Thank you !&nbsp;<BR />I used this and this shows "00:00:00" result to all time spam. PFA<BR /><BR /></P><P>Please advise further!</P><P>&nbsp;</P> Sat, 21 Aug 2021 06:08:03 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564173#M100478 Manasi25 2021-08-21T06:08:03Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564180#M100479 <LI-CODE lang="markup">| eval MTTR = tostring(round((endTimeFormatted-startTimeFormatted)/86400),"duration")</LI-CODE> Sat, 21 Aug 2021 08:49:22 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564180#M100479 ITWhisperer 2021-08-21T08:49:22Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564618#M100519 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,</P><P>I searched with your query and still getting "00:00:00" result to all rows.</P><P>&nbsp;</P><P>PFA. please help !</P><P>&nbsp;</P> Wed, 25 Aug 2021 00:59:48 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564618#M100519 Manasi25 2021-08-25T00:59:48Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564668#M100521 <LI-CODE lang="markup">| eval MTTR = tostring(endTimeFormatted-startTimeFormatted,"duration")</LI-CODE> Wed, 25 Aug 2021 09:34:06 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564668#M100521 ITWhisperer 2021-08-25T09:34:06Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564697#M100526 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224603">@Manasi25</a>,</P><P>Since the time fields are string formatted, MTTR calculation is not possible. Please try below options;</P><LI-CODE lang="markup">in days; | eval MTTR =round((lastAlertTime-startTime)/86400) OR formatted as duration; | eval MTTR = tostring(lastAlertTime-startTime, "duration")</LI-CODE><P>&nbsp;</P> Wed, 25 Aug 2021 12:46:14 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564697#M100526 scelikok 2021-08-25T12:46:14Z https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564743#M100528 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<BR /><BR />This helps and result is good. Thank you !</P> Wed, 25 Aug 2021 15:04:39 GMT https://community.splunk.com/t5/Getting-Data-In/Subtracts-two-time-field-showing-null-result/m-p/564743#M100528 Manasi25 2021-08-25T15:04:39Z