Getting Data In

## Calculating hours since event Path Finder

I am attempting to calculate hours since an event occurred, however, the calculated time shows decimals including .6 to .9 between hour values.

``````index=abc
| eval time_difference=(now() - _time)
| eval time_in_hours=(time_difference/60)
| eval Hours_elapsed=round(time_in_hours/60,2)
| eval Time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| table Time Hours_elapsed
| sort - Hours_elapsed
``````

Here's an example of the output

``````Time                   Hours_elapsed
2019-10-16 05:39:02 22.96
2019-10-16 05:39:19 22.96
2019-10-16 05:39:14 22.96
2019-10-16 05:48:48 22.80
2019-10-16 05:48:47 22.80
``````

I've attempted to calculate the difference of now() and _time in epoch and then do an eval to calculate the hours, but have had no luck.

Tags (2)
1 Solution Ultra Champion

looks like you are doing fine ...
epoch is in seconded and you are calculating hours when dividing in 60 ...

try this:

``````| gentimes start=-1 increment=1h
| eval _time = starttime
| eval  now_time = now()
| table now_time _time
| eval difference_in_seconds = now_time - _time
| eval difference_in_hours = round(difference_in_seconds / 3600, 2)
``````

hope it helps Builder

It's not showing "minutes greater than 59"

The "difference in hours" column is showing you decimal "time"

30.95 hours is 30 hours, 57 minutes (.95 hours = 57 minutes)

There's nothing wrong with the displayed values - unless you want them in hh:mm format

Then you should do this:

``````| makeresults
| eval seconds=107836
| eval intermediate=round(seconds/3600,2)
| rex field=intermediate "(?<hh>\d+)\.(?<mm>\d+)"
| eval mm=round((mm*60)/100)
| eval hhmm=hh+":"+mm
| table *
``````

Which will yield:

``````hh | hhmm  | intermediate | mm | seconds
29 | 29:57 | 29.95        | 57 | 107836
`````` Path Finder

Thanks! I didn't think about decimal "time". It makes sense now. Ultra Champion

looks like you are doing fine ...
epoch is in seconded and you are calculating hours when dividing in 60 ...

try this:

``````| gentimes start=-1 increment=1h
| eval _time = starttime
| eval  now_time = now()
| table now_time _time
| eval difference_in_seconds = now_time - _time
| eval difference_in_hours = round(difference_in_seconds / 3600, 2)
``````

hope it helps Path Finder

Thanks, but it still shows hours with minutes greater than 59. The expected output is that the hour would increment after the minute crosses 59.

``````now_time    _time   difference_in_hours difference_in_seconds
1571313436  2019-10-16 00:00    30.95   111436
1571313436  2019-10-16 01:00    29.95   107836
1571313436  2019-10-16 02:00    28.95   10423
`````` Builder

You're seeing decimal time, instead of "traditional" time - 30.95 hours is 30 hours, 57 minutes Builder

You're not getting minute values greater than 59 - you're seeing "decimal time" Ultra Champion

yup ...
i guess this is what you want:

``````| gentimes start=-1 increment=1h
| eval _time = starttime
| eval  now_time = now()
| table now_time _time
| eval difference_in_seconds = now_time - _time
| eval difference_in_hours_min_sec = tostring(difference_in_seconds, "duration")
`````` Path Finder

Yes! this is perfect 🙂 Get Updates on the Splunk Community!