hello all together,
I'm new to Splunk and I have this problem:
i want to represent a time difference and I already have the right search commands.
Unfortunately, the formatting doesn't work yet.
I want to display the difference in minutes. But, at the moment, 2 hours are added to the results (see picture).
Example: The first line. The result in TimeDiff should be 00:10:35 and not 02:10:35.
@j_r,
Timediff is calulated in seconds.
Try this
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
Verified with:
|makeresults|eval start="10:13:48",ende="10:24:23"
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
Thanks @renjith.nair 🙂
I would like to plot this time difference for a chosen process in a (time)chart. The Y-Axis should represent the time difference (Timediff) and the X-Axis the name of the Process.
base search
| search Process= my_process
| dedup Job_Typ
| eval start = strptime(Startzeit, "%H:%M:%S")
| eval ende = strptime(Endezeit, "%H:%M:%S")
| eval Timediff=ende-start
| eval start= strftime(start,"%H:%M:%S")
| eval ende= strftime(ende,"%H:%M:%S")
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
| table start ende Timediff Process
i tried with | chart values(Timediff) by Process
but the chart was empty.
try this
| stats sum(timediff) by process _time
OR | chart values(timediff) over _time by process
The second one worked. But the y axis is now as epoch time. How can i format it to "normal" time?
add |convert ctime(_time) at the end
@j_r, thats because TimeDiff is a string.
Try this
base search
| search Process= my_process
| dedup Job_Typ
| eval Difference=strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S")
| eval Timediff=tostring(Difference,"duration")
| chart values(Difference) over Process by Timediff
Thanks for this, but unfortunately the result looks like this:
i changed the line to:
| chart values(Difference) over _time by Process
And result is this one.
Now the result is correct but how can i display the y axis as time (time format)?
If i replace "Difference" by "Timediff" the chart ist empty