topic Re: Eval calculate time since event in Splunk Search

How to eval calculate time since event?

michaeler — Tue, 28 Feb 2023 18:55:03 GMT

I'm trying to add a "Downtime" field to my table. The timestamp on the event isn't reliable because it is when the issue was reported, not when it began so I had to extract the time from another field. This is a two-part question.

1. Is there a better, more simple way to get my "Downtime" variable.

rex field=issue ".+(?P<S_Time>\d{4})[Z]\s(?P<S_Date>\d{2}\s[A-Z][a-z]{2})"
eval Issue_Began=S_Time. " ".S_Date." ".date_year ```Output ex - 0654 27 Feb 2023```
eval StartTime=strftime(strptime(Issue_Began, "%H%M %d %B %Y"), "%m/%d/%Y %H:%M")
eval duration=now()-strptime(StartTime, "%m/%d/%Y %H:%M")
eval duration=tostring(duration,"duration")
rex field=duration "((?P<D>\d{1,2})\+)?(?P<H>\d{2}):(?P<M>\d{2})" ```Output ex - 1+05:16.51```
eval Downtime=D."D ".H."H ".M."M "

2. When a system is down for less than 24 hours, the Downtime field is blank, otherwise it will give me the expected result of "1D 05H 16M". How do I alter that eval to skip "D" if it is null? I'm assuming that's the issue because the field operates properly for all other events over 1 day long.

Answers to either question is greatly appreciated!

Re: Eval calculate time since event

ITWhisperer — Tue, 28 Feb 2023 12:27:06 GMT

The strptime() function should be able to extract the timestamp from the field

| rex field=issue ".+(?<timedate>\d{4}\s\d{2}\s[A-Z][a-z]{2})" | eval Issue_Began=strptime(timedate." ".date_year,"%H%M %d %b %Y")

and use fillnull

| fillnull value=0 D

Re: Eval calculate time since event

PickleRick — Tue, 28 Feb 2023 12:32:21 GMT

1. Please, paste your code in preformatted block or code block - it greatly improves readability. Also, you forgot the pipes between different commands. In this case it's pretty understandable where they should be but it's not always the case.

2. Don't overthink! If you have a timestamp in the unix timestamp format (number of seconds since epoch), there's no more convenient form! With such a numerical field you can easily calculate offsets, differences and such. Only at the final step of your process you should render this to a datetime string or duration string.

So just strptime() your time fields, calculate the difference and you're good. Doing strptime and strftime several times in a row doesn't help you - it just introduces more points where you can do something wrong (for example by specifying wrong time format) and is more CPU-expensive.

Re: Eval calculate time since event

michaeler — Tue, 28 Feb 2023 13:47:46 GMT

1. That would make it easier but the Splunk instance I manage has no internet connectivity so I have to manually retype it over.

2. Good point, I felt like I was over complicating it

Re: Eval calculate time since event

michaeler — Tue, 28 Feb 2023 13:54:41 GMT

In the issue field the time is displayed as 0654Z 27 Feb. Will this still work? Thats the only reason I extracted the time and day/month separately.

Re: Eval calculate time since event

michaeler — Tue, 28 Feb 2023 14:10:05 GMT

Nevermind. Just added %Z in the eval and it worked fine. Thanks for the help!

Re: Eval calculate time since event

ITWhisperer — Tue, 28 Feb 2023 14:14:45 GMT

Sorry, I forgot the Z, try this

| rex field=issue ".+(?<time>\d{4})Z\s(?<date>\d{2}\s[A-Z][a-z]{2})" | eval Issue_Began=strptime(time." ".date." ".date_year,"%H%M %d %b %Y")