https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601574#M209365 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>all the time calculations must be done on numbers, so the tostring option is good to display a duration in human readable format, but it isn't good for calculations.</P><P>So make calculations before the tostring transformation, as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;hinted:</P><P>if you want a duration greater one hour you have to calculate something like this.</P><LI-CODE lang="markup">| eval condition=if(duration&gt;3600),"More than 1 hour","Less than 1 hour")</LI-CODE><P>If this or another one answer solves your need, please, accept it for the other people of Community.</P><P>Ciao.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 13 Jun 2022 14:37:22 GMT gcusello 2022-06-13T14:37:22Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601532#M209346 <P>Hi all,&nbsp; &nbsp;I need to calculate the duration i.e. difference between endtime &amp; starttime and display the same in a user friendly format.&nbsp; I have looked at different posts on the forum and am using the same logic yet if you see my splunk results below,&nbsp; the duration column shows numbers like 81, 82 , 96... which doesn't make sense.&nbsp; &nbsp;Are these difference in secs ? Even if its secs, the math doesn't seem to be correct.&nbsp; &nbsp; How can I make diff value show in a readable format like&nbsp; 81 seconds, or&nbsp; 00:00:81 ( HH:MM:SS) ?</P> <P>&nbsp;</P> <LI-CODE lang="markup">| transaction eventID startswith=starting endswith=end | eval starttime = _time | eval endtime=_time+duration | eval duration = endtime-starttime | convert ctime(starttime)| convert ctime(endtime) | table starttime, endtime, duraton</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1655122704866.png" style="width: 429px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20056i404C83B12FC5B515/image-dimensions/429x981?v=v2" width="429" height="981" role="button" title="neerajs_81_0-1655122704866.png" alt="neerajs_81_0-1655122704866.png" /></span></P> <P>&nbsp;</P> Mon, 13 Jun 2022 20:13:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601532#M209346 neerajs_81 2022-06-13T20:13:13Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601533#M209347 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>di you explored the use of tostring option?</P><P>somthing like this:</P><LI-CODE lang="markup">| transaction eventID startswith=starting endswith=end | eval starttime = _time | eval endtime=_time+duration | eval duration = tostring(endtime-starttime,"duration") | convert ctime(starttime)| convert ctime(endtime) | table starttime, endtime, duraton</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 13 Jun 2022 12:24:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601533#M209347 gcusello 2022-06-13T12:24:29Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601560#M209359 <P>You are the man !!!.&nbsp; Thank you.<BR />One more related question,&nbsp; now that we have the duration calculated, how do i enable a condition to check if duration &gt; N hours or N mins ?&nbsp; &nbsp;Basically i need to filter for events where duration is past 1 hour say.&nbsp; Will the below where clause work ? Doesn't appear to be&nbsp; working<BR /><BR />| where duration &gt; 00:60:00&nbsp; &nbsp;OR | where duration &gt; 60<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1655128894949.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20058i07C6115826FD230A/image-size/medium?v=v2&amp;px=400" role="button" title="neerajs_81_0-1655128894949.png" alt="neerajs_81_0-1655128894949.png" /></span></P><P>&nbsp;</P> Mon, 13 Jun 2022 14:03:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601560#M209359 neerajs_81 2022-06-13T14:03:17Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601566#M209361 <P>Have your where command before the tostring() function remembering that the value will be in seconds, so use 3600 for 1 hour.</P> Mon, 13 Jun 2022 14:13:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601566#M209361 ITWhisperer 2022-06-13T14:13:46Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601569#M209363 <P>It does make perfect sense.</P><P>14:17:06 + 82 seconds = 14:18:06+22 seconds = 14:18:28</P><P>And so on.</P><P>I'd also advise to not use eval to convert from this seconds-based duration to string but use fieldformat. This way you retain the possibility to do any manipulation you want but you'll present the time to the user in a readable way.</P> Mon, 13 Jun 2022 14:17:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601569#M209363 PickleRick 2022-06-13T14:17:23Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601574#M209365 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>all the time calculations must be done on numbers, so the tostring option is good to display a duration in human readable format, but it isn't good for calculations.</P><P>So make calculations before the tostring transformation, as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;hinted:</P><P>if you want a duration greater one hour you have to calculate something like this.</P><LI-CODE lang="markup">| eval condition=if(duration&gt;3600),"More than 1 hour","Less than 1 hour")</LI-CODE><P>If this or another one answer solves your need, please, accept it for the other people of Community.</P><P>Ciao.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by all the Contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 13 Jun 2022 14:37:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-time-difference-duration-not-showing-correct/m-p/601574#M209365 gcusello 2022-06-13T14:37:22Z