Archive

Time Conversion - Elapsed Time

Explorer

I have time stamps in the format of H:MM. But when the minutes reach 60 they don't add an hour only when the number reaching above .99 does it add an hour.

This makes the timestamp hard to read.

What complicates the issue is that the elapsed time can be anywhere from .22 to 3.22.

I'm calculating these elapsed times from two correctly formatted time stamps, converting those to seconds, subtracting them then converting back to normal time. I've tried if and case evals but they aren't always correct.

Has anyone found a solution to a problem similar to this?

1 Solution

SplunkTrust
SplunkTrust
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")

View solution in original post

0 Karma

Super Champion

try using tostring instead of strftime. strftime is more for a datestamp since it's using epoch and tostring is for actual seconds duration:

this got me 1 hour and 20 minutes.

|makeresults |eval starttime="21:20:00"|eval endtime="20:00:00"|eval secondsstart=strptime(starttime,"%H:%M:%S")|eval secondsend=strptime(endtime,"%H:%M:%S")|eval durationseconds=secondsstart-secondsend|eval duration=mvindex(split(tostring(durationseconds,"duration"),"."),0)

Explorer

@cmerriman i used the solution you provided "(split(tostring(durationseconds,"duration"),"."),0)"
but this came out with very weird answers. I got answers like
6+02:23:16 9+03:34:54
4+08:55:02 6+13:22:33
5+20:20:19 8+18:30:28
5+20:20:19 8+18:30:28

I don't know how to explain 8 + 18:30:28 , where do i fit that. do i have to do more computation to sum that up again. I don't really see a documentation on SPLUNK's Docs for all of this, nothing covers how to calculate duration or the answers to expect after this is being used.
Please explain this process to me, it is really vague

0 Karma

Super Champion

The 8+ is referring to the number of days. How exactly are you wanting to display duration?

Explorer

I wanted to display the duration in sections for example the output will be:
8d+18H:30M:28S

0 Karma

Super Champion

you can try something like this: |eval dur2=floor(time/86400)."d+".floor(time/3600)."H:".(floor(time/60)%60)."M:".floor(time%60)."S"
but generally the duration is doing what you want, without adding the d/H/M/S values.

8+18:30:28 means 8 days, 18 hours, 30 minutes, and 28 seconds.

Explorer

That's solid. It worked!
Thanks a lot.

0 Karma

SplunkTrust
SplunkTrust
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")

View solution in original post

0 Karma

Explorer

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

0 Karma

SplunkTrust
SplunkTrust
| makeresults | eval times="21:20:00,20:00:00 20:00:00,21:20:00" | makemv times | mvexpand times | makemv delim="," times | eval starttime=mvindex(times,0), endtime=mvindex(times,1) | table starttime endtime
| rename COMMENT as "The above just generates test data."

| eval startepoch=strptime(starttime,"%H:%M:%S"), endepoch=strptime(endtime,"%H:%M:%S")
| eval endepoch=if(endepoch<startepoch,endepoch+86400,endepoch)
| eval durationepoch=endepoch-startepoch
| eval duration=strftime(durationepoch,"%H:%M:%S")
0 Karma

Engager

does this also apply if you utlize the _time in the stats?

0 Karma

Path Finder

Is Splunk parsing the data correctly? Is the _time field the correct time? If so maybe you can just use that. If not you'll have to get fancy with eval commands to convert the time stamp yourself.

0 Karma

SplunkTrust
SplunkTrust

How are you doing the "converting back to normal time" part? Are you using strftime or tostring(seconds,"duration")?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

eval DurationDisplay=strftime(differenceEpoch,"%H:%M:%S")

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!