Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strftime and adding leading zeros to time difference

timm7474
Explorer
‎06-14-2021 02:31 PM

Hi, I have a field called time_diff that I've eval'd from two other fields to calculate the difference in time between those fields.  The calculation is working fine and when I strftime the time_diff back to human readable, I'm using 

eval time_diff_final=strftime(time_diff, "%H:%M:%S.%3Q")

When I display the result of time_diff I see

0.13400

However when I look at the result of time_diff_final I see this.

19:00:00.134

The milliseconds is the correct calculation, but for some reason instead of putting a zero in the %H field I'm getting 19 for every single result. 

Any ideas?

Thanks!

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:27 PM

@timm7474 

You are actually getting duration in seconds as outcome not epoc, strftime function accepts epoc and returns as per format. your time_diff is difference in seconds.

-----

An upvote would be appreciated if it helps!

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 04:43 PM

Hi @timm7474 

How did you calculate time_diff can you share the samples of it?

Tags (1)
0 Karma
Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 04:48 PM

Sure, here is that part of the SPL.

| eval new_attimestamp=strptime('@timestamp',"%Y-%m-%dT%H:%M:%S.%3Q")
| eval new_mdctime=strptime('mdc.time',"%Y-%m-%dT%H:%M:%S.%3Q")
| eval time_diff=(new_attimestamp-new_mdctime)
| eval time_diff_final=strftime(time_diff,"%H:%M:%S.%3")

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:27 PM

@timm7474 

You are actually getting duration in seconds as outcome not epoc, strftime function accepts epoc and returns as per format. your time_diff is difference in seconds.

-----

An upvote would be appreciated if it helps!

Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 06:22 PM

I just ran a test and did this to see how formatting would be for a day or more time difference.

| eval time_diff=(1623704985-new_mdctime).    (the # is June 14, 2021 9:09:45 PM)

against this date: 

2021-06-11T21:48:28.254Z

Which has a strptime of1623462508.254000

I get a difference of:

242476.746000

Any idea how to get it formatted properly so it shows hours, minutes, seconds and milliseconds?

 

Thanks!

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 07:54 PM

Hi @timm7474  

This might work but need through testing, a good way to start!

| makeresults 
| eval time_diff=242476.746000
| eval n=time_diff/3600 
| eval m=(n-floor(n))*60, s=round((m-floor(m))*60,3), mf=if(m > 1, floor(m), 0), h=floor(n)
| eval TIME_DIFF=h.":".mf.":".s

Output TIME_DIFF = 67:21:16.746 ,  h:m:s.3Q format

---

An upvote would be appreciated if it helps!

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-14-2021 05:06 PM

@timm7474 

Can you share few samples of time_diff?

0 Karma
Reply
Solved! Jump to solution

timm7474
Explorer
‎06-14-2021 05:09 PM

0.114000

0.011000

and time_diff_final looks like this for the above values.  And you can see the 19 added when I add hour %H.

19:00:00.114

19:00:00.011

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...