https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349761#M163230 <P>Here you go </P> <P>| makeresults <BR /> | eval current="10:00:00" <BR /> | eval c_time=strptime(current,"%H:%M:%S") <BR /> | eval duration=30 <BR /> | eval total = c_time+duration <BR /> | convert ctime(total)</P> Tue, 29 Sep 2020 17:55:52 GMT ssadanala1 2020-09-29T17:55:52Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349757#M163226 <P>Basically just trying to add three time values together by doing this: <CODE>eval total_time = queue_time + Duration + test_summary.duration</CODE>, but I am not getting any results. Any help?</P> Tue, 30 Jan 2018 14:05:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349757#M163226 cdgill 2018-01-30T14:05:23Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349758#M163227 <P>Hi @cdgill,</P> <P>Can you please provide sample data for all three fields ?</P> Tue, 30 Jan 2018 15:50:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349758#M163227 harsmarvania57 2018-01-30T15:50:27Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349759#M163228 <P>@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. <CODE>queue_time</CODE>, <CODE>Duration</CODE> and <CODE>test_summary.duration</CODE>.</P> <P>Since dot <CODE>(.)</CODE> is used as string concatenation character for eval, you would need to escape the dot character present in the field name using <CODE>single quotes in eval expression</CODE>.</P> <PRE><CODE>&lt;YourBaseSearchWithThreeFields&gt; | eval total_time = queue_time + Duration + 'test_summary.duration' </CODE></PRE> <P>Following is a run anywhere example for the same:</P> <PRE><CODE>| makeresults | eval queue_time=5, Duration=4, test_summary.duration=7 | table queue_time Duration "test_summary.duration" | eval total_time = queue_time + Duration + 'test_summary.duration' </CODE></PRE> Tue, 30 Jan 2018 16:19:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349759#M163228 niketn 2018-01-30T16:19:59Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349760#M163229 <P>Just attempted your solution and it seemed to just perform a string concatenation. </P> Tue, 30 Jan 2018 18:45:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349760#M163229 cdgill 2018-01-30T18:45:04Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349761#M163230 <P>Here you go </P> <P>| makeresults <BR /> | eval current="10:00:00" <BR /> | eval c_time=strptime(current,"%H:%M:%S") <BR /> | eval duration=30 <BR /> | eval total = c_time+duration <BR /> | convert ctime(total)</P> Tue, 29 Sep 2020 17:55:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349761#M163230 ssadanala1 2020-09-29T17:55:52Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349762#M163231 <P>@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?</P> <P>If run anywhere search is working and <CODE>| eval total_time = queue_time + Duration + 'test_summary.duration'</CODE> is not working in your current search please add some sample data for the three fields and also mention the field names as is.</P> <P>What happens when you print <CODE>| table queue_time Duration "test_summary.duration"</CODE>. Are the fields showing values correctly?</P> Tue, 30 Jan 2018 20:01:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349762#M163231 niketn 2018-01-30T20:01:14Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349763#M163232 <P>Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! <A href="https://imgur.com/a/FfM0Q">https://imgur.com/a/FfM0Q</A></P> Tue, 30 Jan 2018 20:04:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349763#M163232 cdgill 2018-01-30T20:04:44Z https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349764#M163233 <P>@cdgill you need to convert the duration to epoch and later change it to human readable format</P> Tue, 30 Jan 2018 20:11:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-time-values-together-in-search-query/m-p/349764#M163233 ssadanala1 2018-01-30T20:11:18Z