Re: How to calculate the age of the tickets ?

chitreshakumar · ‎01-21-2018

I want to add a panel which will show the age of the tickets .
I have start time ,finish time and will take current time for those tickets whose finish time is null .So basically age is difference of finish and start time .How to apply this in Splunk?

p_gurav · ‎01-22-2018

Hi,

Try this:

| eval finishtime_new = case(isnull(finishtime), currenttime) | eval finishtime_epoch = (finishtime_new, "format_of_finishtime_new") | eval starttime_epoch = (starttime, "format_of_startime") | eval diff = finishtime_epoch - starttime_epoch

p_gurav · ‎01-22-2018

Hi chitreshakumar,

you can convert starttime and finishtime in epoch usingstrptime function using eval:
| eval finishtime_epoch = (finishtime, "") | eval starttime_epoch = (starttime, "") | eval diff = finishtime_epoch - starttime_epoch

chitreshakumar · ‎01-22-2018

there is one condition if the finish time is not defined or null then this query will give wrong answer

p_gurav · ‎01-22-2018

You can make new field :

| eval finishtime_new = case(isnull(finishtime), currenttime)

mayurr98 · ‎01-22-2018

give us sample format of starttime and finishtime

chitreshakumar · ‎01-22-2018

its the date and time of the ticket generated

How to calculate the age of the tickets ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases