topic Re: How do I represent a time difference by changing the time format? in Knowledge Management

How do I represent a time difference by changing the time format?

j_r — Thu, 06 Dec 2018 17:03:58 GMT

hello all together,

I'm new to Splunk and I have this problem:

i want to represent a time difference and I already have the right search commands.

Unfortunately, the formatting doesn't work yet.

I want to display the difference in minutes. But, at the moment, 2 hours are added to the results (see picture).
Example: The first line. The result in TimeDiff should be 00:10:35 and not 02:10:35.

Re: How do I represent a time difference by changing the time format?

renjith_nair — Thu, 06 Dec 2018 18:35:09 GMT

@j_r,

Timediff is calulated in seconds.

Try this

|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")

Verified with:

    |makeresults|eval start="10:13:48",ende="10:24:23"
    |eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")

Re: How do I represent a time difference by changing the time format?

j_r — Fri, 07 Dec 2018 08:36:01 GMT

Thanks @renjith.nair 🙂

I would like to plot this time difference for a chosen process in a (time)chart. The Y-Axis should represent the time difference (Timediff) and the X-Axis the name of the Process.

base search
| search Process= my_process
| dedup Job_Typ 
| eval start = strptime(Startzeit, "%H:%M:%S")  
| eval ende = strptime(Endezeit, "%H:%M:%S")  
| eval Timediff=ende-start 
| eval start= strftime(start,"%H:%M:%S") 
| eval ende= strftime(ende,"%H:%M:%S") 
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
| table  start ende Timediff Process

i tried with | chart values(Timediff) by Process but the chart was empty.

Re: How do I represent a time difference by changing the time format?

renjith_nair — Sun, 09 Dec 2018 00:42:40 GMT

@j_r, thats because TimeDiff is a string.

Try this

base search
 | search Process= my_process
 | dedup Job_Typ 
 | eval Difference=strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S")
 | eval Timediff=tostring(Difference,"duration")
 | chart values(Difference) over Process by  Timediff

Re: How do I represent a time difference by changing the time format?

nagarjuna280 — Sun, 09 Dec 2018 00:53:14 GMT

try this
| stats sum(timediff) by process _time
OR | chart values(timediff) over _time by process

Re: How do I represent a time difference by changing the time format?

j_r — Mon, 10 Dec 2018 12:45:24 GMT

Thanks for this, but unfortunately the result looks like this:

i changed the line to:

| chart values(Difference) over _time by  Process

And result is this one.

Now the result is correct but how can i display the y axis as time (time format)?
If i replace "Difference" by "Timediff" the chart ist empty

Re: How do I represent a time difference by changing the time format?

j_r — Mon, 10 Dec 2018 12:48:09 GMT

The second one worked. But the y axis is now as epoch time. How can i format it to "normal" time?

Re: How do I represent a time difference by changing the time format?

nagarjuna280 — Fri, 04 Jan 2019 03:06:54 GMT

add |convert ctime(_time) at the end