https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151810#M42519 <P>You can append this to your search</P> <PRE><CODE>... | addinfo | eval search_time_duration = info_max_time - info_min_time </CODE></PRE> <P>and do your maths after that.</P> Tue, 22 Jul 2014 04:25:12 GMT martin_mueller 2014-07-22T04:25:12Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151809#M42518 <P>I have a search that use <EM>transaction</EM> command and calculate duration of a transaction , I want to perform calculation on this duration data to find out number of minutes missed due to service outage. </P> <P>Is there a way to find out what was time duration selected for a particular search so it can be used in eval function ? </P> <PRE><CODE>index= public60 eventtype=alarm_notify | rex field=_raw "severity&gt;(?&lt;severity&gt;.*)&lt;/severity.*kpiname&gt;(?&lt;kpi&gt;.*) Bandwidth.*&lt;/kpiname.*target&gt;(?&lt;interface&gt;.*)&lt;/target.*targetparent&gt;(?&lt;device&gt;.*)&lt;/target.*Bandwidth in over (?&lt;bandwidth&gt;.*%) " | search kpi = wanIf OR lanIf | eval device_interface = device." - ".interface | transaction startswith=critical endswith=normal | eval available_percentage = (86400-duration)/86400*100 </CODE></PRE> Tue, 22 Jul 2014 03:44:50 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151809#M42518 irfans 2014-07-22T03:44:50Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151810#M42519 <P>You can append this to your search</P> <PRE><CODE>... | addinfo | eval search_time_duration = info_max_time - info_min_time </CODE></PRE> <P>and do your maths after that.</P> Tue, 22 Jul 2014 04:25:12 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151810#M42519 martin_mueller 2014-07-22T04:25:12Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151811#M42520 <P>Thanks for quick response, one interesting to note is that duration is never a perfect time period . It seems like instead of search time frame what you end up getting is time difference between earliest and latest search result.</P> Tue, 22 Jul 2014 19:39:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151811#M42520 irfans 2014-07-22T19:39:51Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151812#M42521 <P>Not really, you do get the correct time range bounds. For example, when I run this over "Previous month" I expect to have my earliest event around 30 days ago, so the start of the time range is going to be much earlier:</P> <PRE><CODE>index=_internal | stats earliest(_time) as earliesttime latest(_time) as latesttime | addinfo | foreach *time [eval &lt;&lt;FIELD&gt;&gt; = strftime(&lt;&lt;FIELD&gt;&gt;, "%F %G")] </CODE></PRE> <P>Here's what I get as a result:</P> <PRE><CODE>earliesttime latesttime info_max_time info_min_time 2014-06-24 09:08:10 2014-06-30 15:49:01 2014-07-01 00:00:00 2014-06-01 00:00:00 </CODE></PRE> Wed, 23 Jul 2014 09:39:15 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-search-time-duration-in-search-itself/m-p/151812#M42521 martin_mueller 2014-07-23T09:39:15Z