Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strftime and adding leading zeros to time difference

timm7474
Explorer
‎06-14-2021 02:31 PM

Hi, I have a field called time_diff that I've eval'd from two other fields to calculate the difference in time between those fields.  The calculation is working fine and when I strftime the time_diff back to human readable, I'm using 

eval time_diff_final=strftime(time_diff, "%H:%M:%S.%3Q")

When I display the result of time_diff I see

0.13400

However when I look at the result of time_diff_final I see this.

19:00:00.134

The milliseconds is the correct calculation, but for some reason instead of putting a zero in the %H field I'm getting 19 for every single result. 

Any ideas?

Thanks!

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:27 PM

@timm7474 

You are actually getting duration in seconds as outcome not epoc, strftime function accepts epoc and returns as per format. your time_diff is difference in seconds.

-----

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 04:43 PM

Hi @timm7474 

How did you calculate time_diff can you share the samples of it?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 04:48 PM

Sure, here is that part of the SPL.

| eval new_attimestamp=strptime('@timestamp',"%Y-%m-%dT%H:%M:%S.%3Q")
| eval new_mdctime=strptime('mdc.time',"%Y-%m-%dT%H:%M:%S.%3Q")
| eval time_diff=(new_attimestamp-new_mdctime)
| eval time_diff_final=strftime(time_diff,"%H:%M:%S.%3")

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:27 PM

@timm7474 

You are actually getting duration in seconds as outcome not epoc, strftime function accepts epoc and returns as per format. your time_diff is difference in seconds.

-----

An upvote would be appreciated if it helps!

Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 06:22 PM

I just ran a test and did this to see how formatting would be for a day or more time difference.

| eval time_diff=(1623704985-new_mdctime).    (the # is June 14, 2021 9:09:45 PM)

against this date: 

2021-06-11T21:48:28.254Z

Which has a strptime of1623462508.254000

I get a difference of:

242476.746000

Any idea how to get it formatted properly so it shows hours, minutes, seconds and milliseconds?

 

Thanks!

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 07:54 PM

Hi @timm7474  

This might work but need through testing, a good way to start!

| makeresults 
| eval time_diff=242476.746000
| eval n=time_diff/3600 
| eval m=(n-floor(n))*60, s=round((m-floor(m))*60,3), mf=if(m > 1, floor(m), 0), h=floor(n)
| eval TIME_DIFF=h.":".mf.":".s

Output TIME_DIFF = 67:21:16.746 ,  h:m:s.3Q format

---

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:06 PM

@timm7474 

Can you share few samples of time_diff?

0 Karma
Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 05:09 PM

0.114000

0.011000

and time_diff_final looks like this for the above values.  And you can see the 19 added when I add hour %H.

19:00:00.114

19:00:00.011

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...