topic Re: How to find ELAPSED Time entries greater than a particular amount. in Splunk Search

How to find ELAPSED Time entries greater than a particular amount.

umithchada — Fri, 18 Mar 2022 16:55:04 GMT

Hello,

I am trying to find the list of elapsed time over a specific time using our os process sourcetype.

Looks something like this

index=os sourcetype=ps host=* COMMAND=*
| where ELAPSED > "12:59:59"
| table COMMAND ELAPSED _time

But for some reason, the ELAPSED time is still displaying values under this time.

If the ELAPSED Time goes over a day, I am able to filter that out with the where command.

Example:

| where ELAPSED > "60-12:59:59"
| table COMMAND ELAPSED _time

-> Output will give me the results which are older than 60 days, 12:59:59 hours.

Re: How to find ELAPSED Time entries greater than a particular amount.

ITWhisperer — Fri, 18 Mar 2022 17:34:07 GMT

Do you have ELAPSED_Time as a value in seconds rather than a string?

Re: How to find ELAPSED Time entries greater than a particular amount.

johnhuang — Fri, 18 Mar 2022 18:08:23 GMT

Convert elapsed time into seconds and then filter.

| rex field=ELAPSED "((?<dd>\d+)\-?)((?<hh>\d+)\:?)((?<mm>\d+)\:)?(?<ss>\d+)$" | eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss) | where elapsed_secs>46799

Re: How to find ELAPSED Time entries greater than a particular amount.

umithchada — Fri, 18 Mar 2022 18:42:24 GMT

Thanks, this worked for me,

Looks like for data sets below 1 day, we will have to convert to seconds to get accurate filtering.

Re: How to find ELAPSED Time entries greater than a particular amount.

umithchada — Fri, 18 Mar 2022 18:44:35 GMT

The value was of ELAPSED was like "05:00:00" .