Getting Data In

Subtract static value from list

dheri
Engager

I am trying to get time difference between 2 timestamps, I have one field deployment_ts with one value and list of time stamps commit_ts, i want a list containing the difference for each value in list with the other field eval commit_to_rel = (deployment_ts - commit_ts). Bu t I am not getting any result.

here is my query


index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%z"))
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ"))
| eval commit_to_rel = (deployment_ts - commit_ts)
| stats list(commit_date), list(commit_ts), list(deployment_ts), list(commit_to_rel)

Can anyone please tell me how to get this done?

here is the picture of results along with the querry.

alt text

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @dheri,

Try this :

index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)

Let me know if that helps.

Cheers,
David

View solution in original post

DavidHourani
Super Champion

Hi @dheri,

Try this :

index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel =  (deployment_ts - commit_ts)

Let me know if that helps.

Cheers,
David

DavidHourani
Super Champion

Hi @dheri Was that helpful ? Can you let me know if it worked for you ?

0 Karma

dheri
Engager

Yes, I was able to expand single event into multiple events.

0 Karma

DavidHourani
Super Champion

Awesome ! Great to hear that !

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@dheri

Is the date format for deployment_time and commit_date are the same? If not, can you please share it else pls try below search?

| makeresults 
| eval _raw="{\"deployment_time\": \"2019-06-03T15:41:26Z\",\"commit_date\": \"2019-06-03T15:41:26Z\"}" 
| kv 
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z")) 
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ")) 
| eval commit_to_rel = (deployment_ts - commit_ts)

Just made change in | eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))

0 Karma

dheri
Engager

@kamlesh_vaghela
Yes, there is difference between date format of deployment_time and commit_date but they both are converted into unix timestamps, which I can see in result as deployment_ts and commit_ts. I tried the query you asked me. Here are the results
alt text

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...