Eval total duration in minutes

lavster — Wed, 28 Aug 2019 06:15:45 GMT

i've created a table from a project run that displays the time a run started, ended and what time files have been created during the run.

However Im trying to do an eval to get the Total Duration in Minutes for each service which is

Re: Eval total duration in minutes

gcusello — Wed, 28 Aug 2019 11:29:28 GMT

Hi lavster,
I suggest to use a different approach to this kind of searches:

at first stop to think to Splunk as a database!
then don't use join because it's a very slow command!
in addition, remember that there's the limit of 50,000 results for subsearches, so you cannot be sure to have all the results in subsearches used in joins;
don't use fields with spaces (e.g. "ESLA File Start"), if you want, you can rename fields at the end of the search

So you should try to build something like this one:

index=esla OR index=mule-new (State=START OR State=END) Service="Early SLA"
| bucket _time span=1d as Day 
| eval "ESLA File Start"=if(State="START",FileTime,""),"ESLA File End"=if(State="END",FileTime,""), Day=strftime(Day,"%d/%m/%Y")
| stats earliest(_time) as ESLA_Start latest(_time) as ESLA_End values( "ESLA File Start") AS  "ESLA File Start" values( "ESLA File End") AS  "ESLA File End" by Day
| eval st=strptime(ESLA_Start,"%H:%M:%S"), et=strptime("ESLA File End","%H:%M:%S"), diff=et-st, "ESLA_Total" = tostring(diff, "duration")
| table Day ESLA_Start ESLA_End "ESLA File Start" "ESLA File End" "ESLA_Total"

I cannot test it but the approach should be correct.

Bye.
Giuseppe

Re: Eval total duration in minutes

lavster — Wed, 28 Aug 2019 11:33:50 GMT

Thank you, i'll give this a go.

topic Eval total duration in minutes in Splunk Search

Eval total duration in minutes

Re: Eval total duration in minutes

Re: Eval total duration in minutes