https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333324#M160893 <P>I wanted to display the duration in sections for example the output will be:<BR /> 8d+18H:30M:28S</P> Thu, 26 Sep 2019 17:52:12 GMT tegaslink 2019-09-26T17:52:12Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333313#M160882 <P>I have time stamps in the format of H:MM. But when the minutes reach 60 they don't add an hour only when the number reaching above .99 does it add an hour.</P> <P>This makes the timestamp hard to read.</P> <P>What complicates the issue is that the elapsed time can be anywhere from .22 to 3.22.</P> <P>I'm calculating these elapsed times from two correctly formatted time stamps, converting those to seconds, subtracting them then converting back to normal time. I've tried if and case evals but they aren't always correct.</P> <P>Has anyone found a solution to a problem similar to this?</P> Thu, 01 Jun 2017 16:10:30 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333313#M160882 jordanb93 2017-06-01T16:10:30Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333314#M160883 <P>How are you doing the "converting back to normal time" part? Are you using <CODE>strftime</CODE> or <CODE>tostring(seconds,"duration")</CODE>?</P> Thu, 01 Jun 2017 17:52:04 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333314#M160883 richgalloway 2017-06-01T17:52:04Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333315#M160884 <P>Is Splunk parsing the data correctly? Is the _time field the correct time? If so maybe you can just use that. If not you'll have to get fancy with eval commands to convert the time stamp yourself.</P> Fri, 02 Jun 2017 01:23:00 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333315#M160884 pappjr 2017-06-02T01:23:00Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333316#M160885 <PRE><CODE>| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N") </CODE></PRE> Fri, 02 Jun 2017 01:49:36 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333316#M160885 DalJeanis 2017-06-02T01:49:36Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333317#M160886 <P>eval DurationDisplay=strftime(differenceEpoch,"%H:%M:%S")</P> <P>The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.</P> Mon, 05 Jun 2017 13:24:12 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333317#M160886 jordanb93 2017-06-05T13:24:12Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333318#M160887 <P>The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.</P> Mon, 05 Jun 2017 13:26:58 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333318#M160887 jordanb93 2017-06-05T13:26:58Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333319#M160888 <P>try using tostring instead of strftime. strftime is more for a datestamp since it's using epoch and tostring is for actual seconds duration:</P> <P>this got me 1 hour and 20 minutes.</P> <PRE><CODE>|makeresults |eval starttime="21:20:00"|eval endtime="20:00:00"|eval secondsstart=strptime(starttime,"%H:%M:%S")|eval secondsend=strptime(endtime,"%H:%M:%S")|eval durationseconds=secondsstart-secondsend|eval duration=mvindex(split(tostring(durationseconds,"duration"),"."),0) </CODE></PRE> Mon, 05 Jun 2017 14:19:30 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333319#M160888 cmerriman 2017-06-05T14:19:30Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333320#M160889 <PRE><CODE>| makeresults | eval times="21:20:00,20:00:00 20:00:00,21:20:00" | makemv times | mvexpand times | makemv delim="," times | eval starttime=mvindex(times,0), endtime=mvindex(times,1) | table starttime endtime | rename COMMENT as "The above just generates test data." | eval startepoch=strptime(starttime,"%H:%M:%S"), endepoch=strptime(endtime,"%H:%M:%S") | eval endepoch=if(endepoch&lt;startepoch,endepoch+86400,endepoch) | eval durationepoch=endepoch-startepoch | eval duration=strftime(durationepoch,"%H:%M:%S") </CODE></PRE> Thu, 08 Jun 2017 15:50:06 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333320#M160889 DalJeanis 2017-06-08T15:50:06Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333321#M160890 <P>@cmerriman i used the solution you provided "(split(tostring(durationseconds,"duration"),"."),0)"<BR /> but this came out with very weird answers. I got answers like <BR /> 6+02:23:16 9+03:34:54<BR /> 4+08:55:02 6+13:22:33<BR /> 5+20:20:19 8+18:30:28<BR /> <STRONG>5+20:20:19 8+18:30:28</STRONG></P> <P>I don't know how to explain 8 + 18:30:28 , where do i fit that. do i have to do more computation to sum that up again. I don't really see a documentation on SPLUNK's Docs for all of this, nothing covers how to calculate duration or the answers to expect after this is being used. <BR /> Please explain this process to me, it is really vague</P> Sun, 22 Sep 2019 03:44:55 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333321#M160890 tegaslink 2019-09-22T03:44:55Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333322#M160891 <P>The 8+ is referring to the number of days. How exactly are you wanting to display duration?</P> Sun, 22 Sep 2019 15:05:49 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333322#M160891 cmerriman 2019-09-22T15:05:49Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333323#M160892 <P>does this also apply if you utlize the _time in the stats?</P> Thu, 26 Sep 2019 14:09:49 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333323#M160892 reneedeleon 2019-09-26T14:09:49Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333324#M160893 <P>I wanted to display the duration in sections for example the output will be:<BR /> 8d+18H:30M:28S</P> Thu, 26 Sep 2019 17:52:12 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333324#M160893 tegaslink 2019-09-26T17:52:12Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333325#M160894 <P>you can try something like this: <CODE>|eval dur2=floor(time/86400)."d+".floor(time/3600)."H:".(floor(time/60)%60)."M:".floor(time%60)."S"</CODE><BR /> but generally the duration is doing what you want, without adding the d/H/M/S values.</P> <P>8+18:30:28 means 8 days, 18 hours, 30 minutes, and 28 seconds.</P> Thu, 26 Sep 2019 23:17:07 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333325#M160894 cmerriman 2019-09-26T23:17:07Z https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333326#M160895 <P>That's solid. It worked!<BR /> Thanks a lot.</P> Wed, 02 Oct 2019 22:10:11 GMT https://community.splunk.com/t5/Splunk-Search/Time-Conversion-Elapsed-Time/m-p/333326#M160895 tegaslink 2019-10-02T22:10:11Z