https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494895#M137946 <P>hello.</P> <P>|eval temp=strptime(start_time, "%Y-%m-%d %H:%M:%S.%Q")<BR /> |eval temp1=temp+duration<BR /> |eval end_time=strftime(temp1,"%Y-%m-%d %H:%M:%S.%Q")</P> <P>|table start_time end_time duration<BR /> |stats avg(duration) as qwe</P> <P>|eval HH=floor(qwe/3600)<BR /> |eval MM=floor((qwe-(HH*3600))/60)<BR /> |eval SS=round(qwe-(HH*3600)-(MM*60),0)</P> <P>|eval avg_duration=(HH + ":" + MM + ":" +SS)<BR /> |fields avg_duration</P> <P>I expressed the hour and minute by the following command. It is possible by subtracting the minute from the average time and subtracting the minute from this part.</P> Wed, 30 Sep 2020 04:33:42 GMT jinseong 2020-09-30T04:33:42Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494886#M137937 <P>Hi all,</P> <P>I have a lookup like this.</P> <PRE><CODE> caseid date a 19-01-01 15:54:43.934000000 b 19-01-01 16:54:43.934000000 c 19-01-01 17:54:43.934000000 d 19-01-01 18:54:43.934000000 e f g . . . . . </CODE></PRE> <P>I did this command</P> <PRE><CODE>| inputlookup test1 | eval date=strptime(date,"%y-%m-%d %H:%M:%S.%9N") | stats min(date) as starttime max(date) as endtime by caseid | eval diff =endtime-starttime | stats avg(diff) as average </CODE></PRE> <P>my result is like this.(this is dummy)</P> <PRE><CODE>average 999999.9999999 </CODE></PRE> <P>I want to get results like this.</P> <PRE><CODE>average 3600 </CODE></PRE> <P>(this is 1 hour)<BR /> I understand I have to convert, but I don't know how to convert date differences to seconds.<BR /> Could you help me?</P> Thu, 12 Mar 2020 04:31:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494886#M137937 pipipipi 2020-03-12T04:31:45Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494887#M137938 <P>As such:</P> <PRE><CODE>| makeresults | eval _raw = "caseid,date a, 19-01-01 15:54:43.934000000 b, 19-01-01 16:54:43.934000000 c, 19-01-01 17:54:43.934000000 d, 19-01-01 18:54:43.934000000" | multikv forceheader=1 | eval date_new=strptime(date,"%y-%m-%d %H:%M:%S.%9N") | eventstats min(date_new) as starttime max(date_new) as endtime count as totalevents | eval avg = round((endtime-starttime) / totalevents, 1) </CODE></PRE> Thu, 12 Mar 2020 04:52:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494887#M137938 anmolpatel 2020-03-12T04:52:02Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494888#M137939 <P>@pipipipi </P> <P>Do you want to round?<BR /> Like by adding this in below search?</P> <PRE><CODE>| eval average=round(average,0) </CODE></PRE> <P>I tried your search with different data it is working.</P> <PRE><CODE>| makeresults | eval _raw=" caseid date a 19-01-01 15:54:43.934000000 b 19-01-01 16:54:43.934000000 c 19-01-01 17:54:43.934000000 d 19-01-01 18:54:43.934000000 a 19-01-01 18:54:43.934000000 b 19-01-01 19:54:43.934000000 c 19-01-01 20:54:43.934000000 d 19-01-01 21:54:43.934000000" | multikv forceheader=1 | eval date=strptime(date,"%y-%m-%d %H:%M:%S.%9N") | stats min(date) as starttime max(date) as endtime by caseid | eval diff =endtime-starttime | stats avg(diff) as average | eval average=round(average,0) </CODE></PRE> <P>Please let us know if you have different expectations.</P> <P>Thanks</P> Thu, 12 Mar 2020 04:56:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494888#M137939 kamlesh_vaghela 2020-03-12T04:56:38Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494889#M137940 <P>Thank you for helping me. <BR /> Sorry, my English is bad.</P> <P>I want to convert 99999.9999(this is example value) to 3600.</P> <PRE><CODE>| eval diff =endtime-starttime | stats avg(diff) as average </CODE></PRE> <P>is date difference, I want to express the date difference in seconds</P> <P>Thank you for helping</P> Thu, 12 Mar 2020 05:04:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494889#M137940 pipipipi 2020-03-12T05:04:07Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494890#M137941 <P>Thank you for helping me.<BR /> I have about 15000 column, so, <BR /> |eval _raw........ is difficult for me.</P> <P>Thank you so much.</P> Thu, 12 Mar 2020 05:08:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494890#M137941 pipipipi 2020-03-12T05:08:49Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494891#M137942 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/194061">@pipipipi</a> the _raw line is to demonstrate the example.</P> <P>In your case, you will have the following:<BR /> | inputlookup test1<BR /> | eval date_new=strptime(date,"%y-%m-%d %H:%M:%S.%9N") <BR /> | eventstats min(date_new) as starttime max(date_new) as endtime count as totalevents <BR /> | eval avg = round((endtime-starttime) / totalevents,1)</P> Wed, 30 Sep 2020 04:33:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494891#M137942 anmolpatel 2020-09-30T04:33:19Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494892#M137943 <P>Like this:</P> <PRE><CODE>| inputlookup test1 | eval date=strptime(date,"%y-%m-%d %H:%M:%S.%9N") | stats range(date) AS diff BY caseid | stats avg(diff) AS average | fieldformat average = tostring(average, "duration") </CODE></PRE> Thu, 12 Mar 2020 06:23:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494892#M137943 woodcock 2020-03-12T06:23:14Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494893#M137944 <PRE><CODE>999999.9999999 *+-/ ? = 3600 </CODE></PRE> <P>what's your formula?</P> Thu, 12 Mar 2020 09:48:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494893#M137944 to4kawa 2020-03-12T09:48:11Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494894#M137945 <P>Thank you for helping me.<BR /> When I using tostring, What is the unit of time? I think seconds, is it right?</P> Fri, 13 Mar 2020 00:38:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494894#M137945 pipipipi 2020-03-13T00:38:51Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494895#M137946 <P>hello.</P> <P>|eval temp=strptime(start_time, "%Y-%m-%d %H:%M:%S.%Q")<BR /> |eval temp1=temp+duration<BR /> |eval end_time=strftime(temp1,"%Y-%m-%d %H:%M:%S.%Q")</P> <P>|table start_time end_time duration<BR /> |stats avg(duration) as qwe</P> <P>|eval HH=floor(qwe/3600)<BR /> |eval MM=floor((qwe-(HH*3600))/60)<BR /> |eval SS=round(qwe-(HH*3600)-(MM*60),0)</P> <P>|eval avg_duration=(HH + ":" + MM + ":" +SS)<BR /> |fields avg_duration</P> <P>I expressed the hour and minute by the following command. It is possible by subtracting the minute from the average time and subtracting the minute from this part.</P> Wed, 30 Sep 2020 04:33:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494895#M137946 jinseong 2020-09-30T04:33:42Z https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494896#M137947 <P>It auto-ranges the output but keeps the actual value as <CODE>seconds</CODE> stored as a number (unitless).</P> Mon, 16 Mar 2020 11:02:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-convert-date-differences-to-seconds/m-p/494896#M137947 woodcock 2020-03-16T11:02:26Z