topic Re: Time duration filter in Splunk Search

Time duration filter

jerinvarghese — Wed, 05 Aug 2020 13:54:59 GMT

Hi All,

Need help in getting the data for those Downtime > 15 mins. below is the query am using.

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p") | sort- Time | eval Downtime = tostring(now() - Time, "duration") | rex field=Downtime "(?P<Downtime>[^.]+)" | table Hostname Status Classification "Site Code", sitename, Time Downtime

output:

Device name

Down

Bronze

LHC

Luanda

2020-08-05 2:02:40 PM

00:14:45

Re: Time duration filter

richgalloway — Wed, 05 Aug 2020 14:01:23 GMT

You have a search and you have results. What is the problem?

Re: Time duration filter

jerinvarghese — Wed, 05 Aug 2020 14:10:27 GMT

HI Rich, the data is for everything that appears in my tool. But i want a hold down timer of 15 mins.

i tried using below commands but that didn't worked.

| where Downtime >900

Also tried below

| where duration>900

but am not getting a data while adding this query.

Re: Time duration filter

richgalloway — Wed, 05 Aug 2020 14:39:33 GMT

OK. I thought that might be the case, but it wasn't stated.

The clauses you tried won't work because they're comparing strings to integers. You must compare numbers to numbers.

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p") | sort- Time | eval Downtime = now() - Time | where Downtime > 900 | fieldformat Downtime = tostring(Downtime, "duration") | rex field=Downtime "(?P<Downtime>[^.]+)" | table Hostname Status Classification "Site Code", sitename, Time Downtime