https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439162#M76571 <P>You could of course just timechart the daily runtime value by assigning <CODE>_time = startTime</CODE> and then running a timechart with a <CODE>span=1d</CODE>. That doesn't visualize when the job started and stopped exactly (I thought that is what you were after), but does allow you to show a line/bar chart to show the runtime trend over time.</P> <P>For example:</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval _time=startTime | eval runTime=(endTime-startTime) | timechart span=1d avg(runTime) as runTime by jobName </CODE></PRE> <P>Note: this charts the runtime as a number of seconds. If jobs typically take several minutes or hours to run, you might be better of displaying it as number of minutes. For example:</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval _time=startTime | eval runTime=round((endTime-startTime)/60,1) | timechart span=1d avg(runTime) as runTime by jobName </CODE></PRE> Tue, 25 Jun 2019 07:06:51 GMT FrankVl 2019-06-25T07:06:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439153#M76562 <P>I am working to find the difference between two events and have the following:</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval time=strftime(_time, "%H:%M:%S") | eval runTime=(endTime-startTime) | eval runTime=strftime(runTime,"%H:%M:%S") | table JobName, runTime </CODE></PRE> <P>I am getting back a runTime of 22:43:35, which is not what I expect or want. I would like the time to show starting from 0, I want the runTime to show in a format of 03:23:00; 3 hours and 23 minutes.</P> Mon, 24 Jun 2019 13:56:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439153#M76562 aohls 2019-06-24T13:56:32Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439154#M76563 <P>Give this a try</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval time=strftime(_time, "%H:%M:%S") | eval runTime=(endTime-startTime) | eval runTime=tostring(runTime,"duration") | table JobName, runTime </CODE></PRE> Mon, 24 Jun 2019 14:04:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439154#M76563 somesoni2 2019-06-24T14:04:01Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439155#M76564 <P>@somesoni2 That worked perfect and exactly what I was looking for.</P> Mon, 24 Jun 2019 14:07:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439155#M76564 aohls 2019-06-24T14:07:35Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439156#M76565 <P>Yeah, <CODE>tostring(runTime,"duration")</CODE> should work.</P> Mon, 24 Jun 2019 14:08:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439156#M76565 VatsalJagani 2019-06-24T14:08:49Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439157#M76566 <P>Would this mean that I cannot use the runTime in a timechart? The runTime is the running of jobs and I was looking to show the daily runs to graph over time.</P> Mon, 24 Jun 2019 14:15:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439157#M76566 aohls 2019-06-24T14:15:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439158#M76567 <P>runTime was in seconds, after using tostring we have converted into string. You can use integer in timechart not string.<BR /> But I don't think timechart will fit here, you can use <A href="https://splunkbase.splunk.com/app/3120/">Timeline visualization</A>.</P> Mon, 24 Jun 2019 14:26:35 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439158#M76567 VatsalJagani 2019-06-24T14:26:35Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439159#M76568 <P>runtime is just the number of seconds between start and end time. Not sure how you envisioned timecharting that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> You might want to take a look at visualization add-ons that are perhaps more suitable for displaying job runtimes over time. e.g.: <A href="https://splunkbase.splunk.com/app/3120/">https://splunkbase.splunk.com/app/3120/</A></P> <P>Also: not sure what that <CODE>| eval time=strftime(_time, "%H:%M:%S")</CODE> is doing there, as there is no <CODE>_time</CODE> field anymore after that stats command. But then again, you're not using that field anyway.</P> <P>PS: you could also do <CODE>| stats range(_time) as runTime by JobName| eval runTime=tostring(runTime,"duration")</CODE> . But if you really want to visualize the job run on a timescale, you are probably going to need those start and end time values.</P> Mon, 24 Jun 2019 14:30:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439159#M76568 FrankVl 2019-06-24T14:30:49Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439160#M76569 <P>That makes sense. The idea was that these jobs run every day so I wanted to keep track of the run time to chart how long it is taking over time; really to trend the items over time.</P> Mon, 24 Jun 2019 15:56:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439160#M76569 aohls 2019-06-24T15:56:32Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439161#M76570 <P>Minor Revisions <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval runTime=(endTime-startTime) | eval time=strftime(runTime, "%H:%M:%S") | table JobName, time </CODE></PRE> Mon, 24 Jun 2019 16:33:06 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439161#M76570 sumanssah 2019-06-24T16:33:06Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439162#M76571 <P>You could of course just timechart the daily runtime value by assigning <CODE>_time = startTime</CODE> and then running a timechart with a <CODE>span=1d</CODE>. That doesn't visualize when the job started and stopped exactly (I thought that is what you were after), but does allow you to show a line/bar chart to show the runtime trend over time.</P> <P>For example:</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval _time=startTime | eval runTime=(endTime-startTime) | timechart span=1d avg(runTime) as runTime by jobName </CODE></PRE> <P>Note: this charts the runtime as a number of seconds. If jobs typically take several minutes or hours to run, you might be better of displaying it as number of minutes. For example:</P> <PRE><CODE>| stats earliest(_time) as startTime, latest(_time) as endTime by JobName | eval _time=startTime | eval runTime=round((endTime-startTime)/60,1) | timechart span=1d avg(runTime) as runTime by jobName </CODE></PRE> Tue, 25 Jun 2019 07:06:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439162#M76571 FrankVl 2019-06-25T07:06:51Z https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439163#M76572 <P>Try this:</P> <PRE><CODE>... | stats range(_time) AS runTime BY JobName | table JobName, runTime | fieldformat runTime = tostring(runTime, "duration") </CODE></PRE> Mon, 01 Jul 2019 18:27:16 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-the-time-difference-not-evaluating-correctly/m-p/439163#M76572 woodcock 2019-07-01T18:27:16Z