Getting Data In
Highlighted

Subtract static value from list

Engager

I am trying to get time difference between 2 timestamps, I have one field deployment_ts with one value and list of time stamps commit_ts, i want a list containing the difference for each value in list with the other field eval commit_to_rel = (deployment_ts - commit_ts). Bu t I am not getting any result.

here is my query


index=x applicationname="yy-xx-zz" eventtype="ev"
| spath path=commits{}.date output=commitdate
| eval deployment
ts = (strptime(deploymenttime, "%Y-%m-%dT%H:%M:%S%z"))
| eval commit
ts = (strptime(commitdate, "%Y-%m-%dT%H:%M:%SZ"))
| eval commit
torel = (deploymentts - committs)
| stats list(commit
date), list(committs), list(deploymentts), list(committorel)

Can anyone please tell me how to get this done?

here is the picture of results along with the querry.

alt text

0 Karma
Highlighted

Re: Subtract static value from list

SplunkTrust
SplunkTrust

@dheri

Is the date format for deployment_time and commit_date are the same? If not, can you please share it else pls try below search?

| makeresults 
| eval _raw="{\"deployment_time\": \"2019-06-03T15:41:26Z\",\"commit_date\": \"2019-06-03T15:41:26Z\"}" 
| kv 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z")) 
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ")) 
| eval commit_to_rel = (deployment_ts - commit_ts)

Just made change in | eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))

0 Karma
Highlighted

Re: Subtract static value from list

Engager

@kamleshvaghela
Yes, there is difference between date format of `deployment
timeandcommitdatebut they both are converted into unix timestamps, which I can see in result asdeploymenttsandcommit_ts`. I tried the query you asked me. Here are the results
alt text

0 Karma
Highlighted

Re: Subtract static value from list

SplunkTrust
SplunkTrust

Hi @dheri,

Try this :

index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)

Let me know if that helps.

Cheers,
David

View solution in original post

Highlighted

Re: Subtract static value from list

SplunkTrust
SplunkTrust

Hi @dheri Was that helpful ? Can you let me know if it worked for you ?

0 Karma
Highlighted

Re: Subtract static value from list

Engager

Yes, I was able to expand single event into multiple events.

0 Karma
Highlighted

Re: Subtract static value from list

SplunkTrust
SplunkTrust

Awesome ! Great to hear that !

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.