topic Re: How to add a lapsed time to a field's timestamp in Splunk Search

How to add a lapsed time to a field's timestamp

MeMilo09 — Wed, 17 Nov 2021 04:54:41 GMT

Howdy,

Been researching on how to give time for the next sequential event to occur, but have not found a way. Lets say field X occurred and the next event to take place is field Y, but field Y is null if under 24 hrs give Length_of_Time in min once Y happens.

Issue is if its the same day and Y still has not occurred following X -- , give X 24 hours to happen from the time field Y happened before marking it as failure of error... So far this is what I have...

| eval X = strptime(StartTime,"%Y-%m-%d %H:%M:%S.%q"), Y =strptime(EndTime,"%Y-%m-%d %H:%M:%S.%6N") note: 86400 is 24 hrs in seconds | eval Length_of_Time = if(isNull(Y)AND Y-X < 86400 AND 86400<=X,round((X-Y)/60,0))

Re: How to add a lapsed time to a field's timestamp

ITWhisperer — Wed, 17 Nov 2021 06:33:35 GMT

It is unclear to me what you are trying to achieve here - if Y is null, what are you expecting from any further calculations involving Y? Assuming StartTime is a timestamp field, X will probably always be greater than 86400. Assuming you do have actual datetimes in X and Y, the description would suggest that Y occurs after X, so X-Y will be negative.

Please can you clarify, perhaps with some real examples of the event you are dealing with?

Re: How to add a lapsed time to a field's timestamp

MeMilo09 — Wed, 17 Nov 2021 07:21:07 GMT

Hi,

my bad for the confusion, I am temporary away from my work station and don’t have the actual code at the moment

Y can take upto 24 hours to show up after x - making it null until the 24 hours complete.

so I was thinking I could include a lapse of time of 24 hours after x took place.