Archive

How to find elapsed time between now() and event?

Communicator

Hello. I am trying to find the amount time that has passed from the time and event occurred to the present (now()). I tried subtracting the time of the event from the current time, but I got an Epoch time value that gives me times in the 1970s. What conversions do I have to make to have Splunk tell me something happened 30 hours ago and not 30 years?

Thanks for your help

1 Solution

SplunkTrust
SplunkTrust

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.

... | fieldformat timeField = tostring(timeField,"duration")

View solution in original post

SplunkTrust
SplunkTrust

Well you have the time of the event as _time field, and you can use now() in eval expressions, so you can make a field, let's call it secondsAgo, like so:

| eval secondsAgo=now() - _time

It is of course just a number of seconds. IF you were to do | convert ctime(secondsAgo), that would be weird because you're asking Splunk to tell you what time it would be if this number of seconds were defined as "the number of seconds since 1/1/1970 in GMT", which.... is generally a random time in 1970.

What you probably want to do after getting secondsAgo as an integer, is convert it to an "HH:MM:SS" duration string, like so:

| eval secondsAgo=now() - _time | eval durationStr=tostring(secondsAgo,"duration")

or if you prefer it in one eval expression,

| eval secondsAgoStr=tostring(now() - _time, "duration")

Communicator

Thanks! This is worthy of acceptance for the Answer, but rich7177 posted his Answer-acceptance worthy reply first, and therefore must get credit. I hope my grattitude will suffice in lieu of Karma points!

SplunkTrust
SplunkTrust

hehe. Sure no problem. He and I were writing our answers at the same time. Unaccepting answers and accepting others happens all the time but in this case they are both right so it matters little. Cheers.

0 Karma

SplunkTrust
SplunkTrust

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.

... | fieldformat timeField = tostring(timeField,"duration")

View solution in original post

Communicator

Thanks! I was not picking up on that important detail.

0 Karma