Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtract static value from list

dheri
Engager
‎06-18-2019 07:56 AM

I am trying to get time difference between 2 timestamps, I have one field deployment_ts with one value and list of time stamps commit_ts, i want a list containing the difference for each value in list with the other field eval commit_to_rel = (deployment_ts - commit_ts). Bu t I am not getting any result.

here is my query 



index=x application_name="yy-xx-zz" event_type="ev"

| spath path=commits{}.date output=commit_date 

| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%z"))

| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ"))

| eval commit_to_rel =  (deployment_ts - commit_ts)

| stats list(commit_date), list(commit_ts), list(deployment_ts), list(commit_to_rel)

Can anyone please tell me how to get this done?

here is the picture of results along with the querry.

alt text

Preview file
279 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-19-2019 03:00 AM

Hi @dheri,

Try this :

index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-19-2019 03:00 AM

Hi @dheri,

Try this :

index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-19-2019 08:11 AM

Hi @dheri Was that helpful ? Can you let me know if it worked for you ?

0 Karma
Reply
Solved! Jump to solution

dheri
Engager
‎06-19-2019 08:13 AM

Yes, I was able to expand single event into multiple events.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-19-2019 08:14 AM

Awesome ! Great to hear that !

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2019 12:30 AM

@dheri

Is the date format for deployment_time and commit_date are the same? If not, can you please share it else pls try below search? 

| makeresults 
| eval _raw="{\"deployment_time\": \"2019-06-03T15:41:26Z\",\"commit_date\": \"2019-06-03T15:41:26Z\"}" 
| kv 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z")) 
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ")) 
| eval commit_to_rel = (deployment_ts - commit_ts)

Just made change in | eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))

0 Karma
Reply
Solved! Jump to solution

dheri
Engager
‎06-19-2019 07:02 AM

@kamlesh_vaghela
Yes, there is difference between date format of deployment_time and commit_date but they both are converted into unix timestamps, which I can see in result as deployment_ts and commit_ts. I tried the query you asked me. Here are the results
alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...