<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to search duration using two timestamps? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214042#M42072</link>
    <description>&lt;P&gt;Hmm, sorry it's not working for you...  I stripped it down more and the eval does work for me (obviously).  Not sure why.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| convert dur2sec(duration) | stats sum(duration) as sumdur |eval "Time Connected"=tostring(sumdur, "duration")
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;duration is a field in my data.  ignoring the bucket of one day tied to the _time (parses the search by date)...I just ran my new search for 24h which is the same thing (and much quicker).  The above results in:&lt;/P&gt;

&lt;P&gt;sumdur  Time Connected&lt;BR /&gt;
106846  1+05:40:46&lt;/P&gt;

&lt;P&gt;Yeah...I live on VPN...&lt;/P&gt;</description>
    <pubDate>Mon, 25 Apr 2016 15:08:48 GMT</pubDate>
    <dc:creator>ccsfdave</dc:creator>
    <dc:date>2016-04-25T15:08:48Z</dc:date>
    <item>
      <title>How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214038#M42068</link>
      <description>&lt;P&gt;Hi, &lt;/P&gt;

&lt;P&gt;We need to find duration between timestamps and the format looks like below.&lt;/P&gt;

&lt;P&gt;max_time=1461593558.000&lt;BR /&gt;
min _time=1461593258.000&lt;/P&gt;

&lt;P&gt;Used the search below to convert this to a proper time frame.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=datapower   |stats avg(Time) as Average,Count 
| eval Average=round(Average,2) |where Average&amp;gt;50
| addinfo 
| eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
| eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S") 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Tried finding difference like this by adding this to the end of the search:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| eval diff= tostring(SearchendTime - SearchstartTime,"duration")
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;but it is not retrieving any results.&lt;/P&gt;

&lt;P&gt;Can you please help?&lt;/P&gt;</description>
      <pubDate>Mon, 25 Apr 2016 14:22:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214038#M42068</guid>
      <dc:creator>splunker9999</dc:creator>
      <dc:date>2016-04-25T14:22:12Z</dc:date>
    </item>
    <item>
      <title>Re: How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214039#M42069</link>
      <description>&lt;P&gt;I have a search to find VPN connection durations, which I built a long time ago and probably with the help of answers.splunk.com.  But here are the relevant parts if you can pick it apart for your usecase:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; | convert dur2sec(duration) |bucket _time span=1d | stats sum(duration) as sumdur by _time src_ip  |eval "Time Connected"=tostring(sumdur, "duration") |fields - sumdur |rename _time as Date | convert timeformat=%m/%d/%Y ctime(Date) 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 25 Apr 2016 14:31:23 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214039#M42069</guid>
      <dc:creator>ccsfdave</dc:creator>
      <dc:date>2016-04-25T14:31:23Z</dc:date>
    </item>
    <item>
      <title>Re: How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214040#M42070</link>
      <description>&lt;P&gt;Use info_min_time and info_max_time (which are in epoch format) to calculate duration. &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; index=datapower   |stats avg(Time) as Average,Count 
 | eval Average=round(Average,2) |where Average&amp;gt;50
 | addinfo | duration=(info_max_time-info_min_time,"duration")
 | eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
  |eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S") 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Tue, 29 Sep 2020 09:29:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214040#M42070</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2020-09-29T09:29:20Z</dc:date>
    </item>
    <item>
      <title>Re: How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214041#M42071</link>
      <description>&lt;P&gt;Thanks Dave, used tostring with eval, but this is not returning any  results .There might be some issue with strftime .&lt;/P&gt;</description>
      <pubDate>Mon, 25 Apr 2016 14:52:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214041#M42071</guid>
      <dc:creator>splunker9999</dc:creator>
      <dc:date>2016-04-25T14:52:34Z</dc:date>
    </item>
    <item>
      <title>Re: How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214042#M42072</link>
      <description>&lt;P&gt;Hmm, sorry it's not working for you...  I stripped it down more and the eval does work for me (obviously).  Not sure why.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| convert dur2sec(duration) | stats sum(duration) as sumdur |eval "Time Connected"=tostring(sumdur, "duration")
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;duration is a field in my data.  ignoring the bucket of one day tied to the _time (parses the search by date)...I just ran my new search for 24h which is the same thing (and much quicker).  The above results in:&lt;/P&gt;

&lt;P&gt;sumdur  Time Connected&lt;BR /&gt;
106846  1+05:40:46&lt;/P&gt;

&lt;P&gt;Yeah...I live on VPN...&lt;/P&gt;</description>
      <pubDate>Mon, 25 Apr 2016 15:08:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214042#M42072</guid>
      <dc:creator>ccsfdave</dc:creator>
      <dc:date>2016-04-25T15:08:48Z</dc:date>
    </item>
    <item>
      <title>Re: How to search duration using two timestamps?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214043#M42073</link>
      <description>&lt;P&gt;Please confirm that &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; index=datapower   |stats avg(Time) as Average,Count 
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;returns events?&lt;/P&gt;</description>
      <pubDate>Mon, 25 Apr 2016 19:16:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-search-duration-using-two-timestamps/m-p/214043#M42073</guid>
      <dc:creator>Richfez</dc:creator>
      <dc:date>2016-04-25T19:16:27Z</dc:date>
    </item>
  </channel>
</rss>

