Getting Data In
Highlighted

How to search duration using two timestamps?

Path Finder

Hi,

We need to find duration between timestamps and the format looks like below.

max_time=1461593558.000
min _time=1461593258.000

Used the search below to convert this to a proper time frame.

index=datapower   |stats avg(Time) as Average,Count 
| eval Average=round(Average,2) |where Average>50
| addinfo 
| eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
| eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S") 

Tried finding difference like this by adding this to the end of the search:

| eval diff= tostring(SearchendTime - SearchstartTime,"duration")

but it is not retrieving any results.

Can you please help?

0 Karma
Highlighted

Re: How to search duration using two timestamps?

Builder

I have a search to find VPN connection durations, which I built a long time ago and probably with the help of answers.splunk.com. But here are the relevant parts if you can pick it apart for your usecase:

 | convert dur2sec(duration) |bucket _time span=1d | stats sum(duration) as sumdur by _time src_ip  |eval "Time Connected"=tostring(sumdur, "duration") |fields - sumdur |rename _time as Date | convert timeformat=%m/%d/%Y ctime(Date) 
0 Karma
Highlighted

Re: How to search duration using two timestamps?

Path Finder

Thanks Dave, used tostring with eval, but this is not returning any results .There might be some issue with strftime .

0 Karma
Highlighted

Re: How to search duration using two timestamps?

Builder

Hmm, sorry it's not working for you... I stripped it down more and the eval does work for me (obviously). Not sure why.

| convert dur2sec(duration) | stats sum(duration) as sumdur |eval "Time Connected"=tostring(sumdur, "duration")

duration is a field in my data. ignoring the bucket of one day tied to the _time (parses the search by date)...I just ran my new search for 24h which is the same thing (and much quicker). The above results in:

sumdur Time Connected
106846 1+05:40:46

Yeah...I live on VPN...

0 Karma
Highlighted

Re: How to search duration using two timestamps?

SplunkTrust
SplunkTrust

Use infomintime and infomaxtime (which are in epoch format) to calculate duration.

 index=datapower   |stats avg(Time) as Average,Count 
 | eval Average=round(Average,2) |where Average>50
 | addinfo | duration=(info_max_time-info_min_time,"duration")
 | eval SearchstartTime=strftime(info_min_time,"%Y-%m-%d %H:%M:%S")
  |eval SearchendTime=strftime(info_max_time,"%Y-%m-%d %H:%M:%S") 
0 Karma
Highlighted

Re: How to search duration using two timestamps?

SplunkTrust
SplunkTrust

Please confirm that

 index=datapower   |stats avg(Time) as Average,Count 

returns events?

0 Karma