Archive
Highlighted

Time Conversion - Elapsed Time

Explorer

I have time stamps in the format of H:MM. But when the minutes reach 60 they don't add an hour only when the number reaching above .99 does it add an hour.

This makes the timestamp hard to read.

What complicates the issue is that the elapsed time can be anywhere from .22 to 3.22.

I'm calculating these elapsed times from two correctly formatted time stamps, converting those to seconds, subtracting them then converting back to normal time. I've tried if and case evals but they aren't always correct.

Has anyone found a solution to a problem similar to this?

Highlighted

Re: Time Conversion - Elapsed Time

SplunkTrust
SplunkTrust

How are you doing the "converting back to normal time" part? Are you using strftime or tostring(seconds,"duration")?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

Explorer

eval DurationDisplay=strftime(differenceEpoch,"%H:%M:%S")

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

Highlighted

Re: Time Conversion - Elapsed Time

Path Finder

Is Splunk parsing the data correctly? Is the _time field the correct time? If so maybe you can just use that. If not you'll have to get fancy with eval commands to convert the time stamp yourself.

0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

SplunkTrust
SplunkTrust
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")

View solution in original post

0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

Explorer

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

SplunkTrust
SplunkTrust
| makeresults | eval times="21:20:00,20:00:00 20:00:00,21:20:00" | makemv times | mvexpand times | makemv delim="," times | eval starttime=mvindex(times,0), endtime=mvindex(times,1) | table starttime endtime
| rename COMMENT as "The above just generates test data."

| eval startepoch=strptime(starttime,"%H:%M:%S"), endepoch=strptime(endtime,"%H:%M:%S")
| eval endepoch=if(endepoch<startepoch,endepoch+86400,endepoch)
| eval durationepoch=endepoch-startepoch
| eval duration=strftime(durationepoch,"%H:%M:%S")
0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

Engager

does this also apply if you utlize the _time in the stats?

0 Karma
Highlighted

Re: Time Conversion - Elapsed Time

Super Champion

try using tostring instead of strftime. strftime is more for a datestamp since it's using epoch and tostring is for actual seconds duration:

this got me 1 hour and 20 minutes.

|makeresults |eval starttime="21:20:00"|eval endtime="20:00:00"|eval secondsstart=strptime(starttime,"%H:%M:%S")|eval secondsend=strptime(endtime,"%H:%M:%S")|eval durationseconds=secondsstart-secondsend|eval duration=mvindex(split(tostring(durationseconds,"duration"),"."),0)
Highlighted

Re: Time Conversion - Elapsed Time

Explorer

@cmerriman i used the solution you provided "(split(tostring(durationseconds,"duration"),"."),0)"
but this came out with very weird answers. I got answers like
6+02:23:16 9+03:34:54
4+08:55:02 6+13:22:33
5+20:20:19 8+18:30:28
5+20:20:19 8+18:30:28

I don't know how to explain 8 + 18:30:28 , where do i fit that. do i have to do more computation to sum that up again. I don't really see a documentation on SPLUNK's Docs for all of this, nothing covers how to calculate duration or the answers to expect after this is being used.
Please explain this process to me, it is really vague

0 Karma