Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

in a Splunk Dashboard, how do you calculate the time difference between now and start time ?

jagadeeshvenkat
Explorer
‎03-05-2019 04:36 AM

Hi all,

I have a Splunk dashboard in which I have to divide my total by seconds (Please refer below 3600). Instead of hard coding, I have to do a divide by difference between start time and now .

| eval TPS=Round((Total/**3600**),2)

I.e., if I select and search for time range between 03/05/2019 04:00:00 AM to 03/05/2019 06:00:00 AM , it should return a value which i can substitute using a variable in the below eval function.

| eval TPS=Round((Total/**some_variable**),2)

Any help is much appreciated .!!!!

thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-05-2019 04:42 AM

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2)
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-05-2019 04:42 AM

@jagadeeshvenkatesh1,

now() - $your_time_token.earliest$

updated:

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
|eval TPS=Round((Total/(now() - starttime)),2)
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

jagadeeshvenkat
Explorer
‎03-05-2019 05:36 AM

That's awesome.. it worked .. My long time change in my prod dashboard is done because of you.
Thanks for that @renjith.nair . it means a lot.! 🙂

Reply
Solved! Jump to solution

nainanayana
New Member
‎06-04-2019 03:33 AM

index="*" |eval check_in=check_in |eval check_out=check_out |eval it = strptime(check_in, "%H:%M:%S")
| eval ot = strptime(check_out, "%H:%M:%S") | eval diff=ot-it |eval diff1 = tostring(diff, "duration")
i was trying to get duration between checkin and check out but i am getting only 1 person duration please check and let me know soon

0 Karma
Reply
Solved! Jump to solution

jagadeeshvenkat
Explorer
‎03-05-2019 04:51 AM

thanks @renjith.nair . if i use
| eval TPS=Round((Total/(now() - $field1.earliest$)),2)
, i getting an error like "error in 'eval' command. the expression is malperformed Expected )".

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎03-05-2019 05:07 AM

okie, thats because you might be using relative time (-1d,-1m etc).

Try this then

|eval starttime=if(match("$field1.earliest$","^(\d+)"),"$field1.earliest$",relative_time(now(),"$field1.earliest$"))
| eval TPS=Round((Total/(now() - starttime)),2)
Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...