Turn on suggestions

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

Archive

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Showing results for

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

jordanb93

Explorer

06-01-2017
09:10 AM

I have time stamps in the format of H:MM. But when the minutes reach 60 they don't add an hour only when the number reaching above .99 does it add an hour.

This makes the timestamp hard to read.

What complicates the issue is that the elapsed time can be anywhere from .22 to 3.22.

I'm calculating these elapsed times from two correctly formatted time stamps, converting those to seconds, subtracting them then converting back to normal time. I've tried if and case evals but they aren't always correct.

Has anyone found a solution to a problem similar to this?

1 Solution

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

richgalloway

SplunkTrust

06-01-2017
10:52 AM

How are you doing the "converting back to normal time" part? Are you using `strftime`

or `tostring(seconds,"duration")`

?

---

If this reply helps you, an upvote would be appreciated.

If this reply helps you, an upvote would be appreciated.

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

jordanb93

Explorer

06-05-2017
06:24 AM

eval DurationDisplay=strftime(differenceEpoch,"%H:%M:%S")

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

Highlighted
##

Is Splunk parsing the data correctly? Is the _time field the correct time? If so maybe you can just use that. If not you'll have to get fancy with eval commands to convert the time stamp yourself.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

pappjr

Path Finder

06-01-2017
06:23 PM

Highlighted

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

DalJeanis

SplunkTrust

06-01-2017
06:49 PM

```
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")
```

Highlighted
##

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

jordanb93

Explorer

06-05-2017
06:26 AM

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

DalJeanis

SplunkTrust

06-08-2017
08:50 AM

```
| makeresults | eval times="21:20:00,20:00:00 20:00:00,21:20:00" | makemv times | mvexpand times | makemv delim="," times | eval starttime=mvindex(times,0), endtime=mvindex(times,1) | table starttime endtime
| rename COMMENT as "The above just generates test data."
| eval startepoch=strptime(starttime,"%H:%M:%S"), endepoch=strptime(endtime,"%H:%M:%S")
| eval endepoch=if(endepoch<startepoch,endepoch+86400,endepoch)
| eval durationepoch=endepoch-startepoch
| eval duration=strftime(durationepoch,"%H:%M:%S")
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

reneedeleon

Engager

09-26-2019
07:09 AM

does this also apply if you utlize the _time in the stats?

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

cmerriman

Super Champion

06-05-2017
07:19 AM

try using tostring instead of strftime. strftime is more for a datestamp since it's using epoch and tostring is for actual seconds duration:

this got me 1 hour and 20 minutes.

```
|makeresults |eval starttime="21:20:00"|eval endtime="20:00:00"|eval secondsstart=strptime(starttime,"%H:%M:%S")|eval secondsend=strptime(endtime,"%H:%M:%S")|eval durationseconds=secondsstart-secondsend|eval duration=mvindex(split(tostring(durationseconds,"duration"),"."),0)
```

Highlighted
##

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Re: Time Conversion - Elapsed Time

tegaslink

Explorer

09-21-2019
08:44 PM

@cmerriman i used the solution you provided "(split(tostring(durationseconds,"duration"),"."),0)"

but this came out with very weird answers. I got answers like

6+02:23:16 9+03:34:54

4+08:55:02 6+13:22:33

5+20:20:19 8+18:30:28

**5+20:20:19 8+18:30:28**

I don't know how to explain 8 + 18:30:28 , where do i fit that. do i have to do more computation to sum that up again. I don't really see a documentation on SPLUNK's Docs for all of this, nothing covers how to calculate duration or the answers to expect after this is being used.

Please explain this process to me, it is really vague