topic Re: Time value difference in duration: getting value as 0d in Splunk Search

Time value difference in duration: getting value as 0d

Chandras11 — Thu, 06 Sep 2018 15:30:52 GMT

HI All,

I am able to get the time value difference in epoch and able to convert it to string with the following command:-

eval LeadDays = ( Answer_Time - Bookingdate) |  eval LeadDays = tostring(LeadDays, "duration") |

Bookingdate             Answer_Time  LeadDays
1535635518.000000   1535708751.000000   20:20:33.000000
1535636031.000000   1536059535.000000   2+21:38:24.000000

The problem is in the first row: is there a way to convert it to 0+20:20:33.000000 instead of 20:20:33.000000

I tried to use string concat but it didnt work.

Also is there a way to convert 2+21:38:24 to only days as 2+21/24+38/3600= 2.88 days

Re: Time value difference in duration: getting value as 0d

aholzer — Thu, 06 Sep 2018 16:01:24 GMT

try this:

| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes

Explanation:

first preppend a "0+" if the LeadDays doesn't contain a "+" in it
capture the days / hours / minutes into different fields
use the fields captured in #2 to calculate a new field as per your requirements
remove the unnecessary fields

Hope this helps

Re: Time value difference in duration: getting value as 0d

Chandras11 — Fri, 07 Sep 2018 08:24:57 GMT

THanks a lot for the answer.

Re: Time value difference in duration: getting value as 0d

Chandras11 — Fri, 07 Sep 2018 09:05:47 GMT

I was trying to use the match command in eval case and it was giving me issues. This one is working like a charm.