Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I represent a time difference by changing the time format?

j_r
Path Finder
‎12-06-2018 09:03 AM

hello all together,

I'm new to Splunk and I have this problem:

i want to represent a time difference and I already have the right search commands.

Unfortunately, the formatting doesn't work yet.

I want to display the difference in minutes. But, at the moment, 2 hours are added to the results (see picture).
Example: The first line. The result in TimeDiff should be 00:10:35 and not 02:10:35.

alt text

Tags (1)
Preview file
41 KB
0 Karma
Reply

renjith_nair
Legend
‎12-06-2018 10:35 AM

@j_r,

Timediff is calulated in seconds.

Try this

|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")

Verified with:

    |makeresults|eval start="10:13:48",ende="10:24:23"
    |eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

j_r
Path Finder
‎12-07-2018 12:36 AM

Thanks @renjith.nair 🙂

I would like to plot this time difference for a chosen process in a (time)chart. The Y-Axis should represent the time difference (Timediff) and the X-Axis the name of the Process.

base search
| search Process= my_process
| dedup Job_Typ 
| eval start = strptime(Startzeit, "%H:%M:%S")  
| eval ende = strptime(Endezeit, "%H:%M:%S")  
| eval Timediff=ende-start 
| eval start= strftime(start,"%H:%M:%S") 
| eval ende= strftime(ende,"%H:%M:%S") 
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
| table  start ende Timediff Process

i tried with | chart values(Timediff) by Process but the chart was empty.

0 Karma
Reply

nagarjuna280
Communicator
‎12-08-2018 04:53 PM

try this
| stats sum(timediff) by process _time
OR | chart values(timediff) over _time by process

Reply

j_r
Path Finder
‎12-10-2018 04:48 AM

The second one worked. But the y axis is now as epoch time. How can i format it to "normal" time?

0 Karma
Reply

nagarjuna280
Communicator
‎01-03-2019 07:06 PM

add |convert ctime(_time) at the end

0 Karma
Reply

renjith_nair
Legend
‎12-08-2018 04:42 PM

@j_r, thats because TimeDiff is a string.

Try this

base search
 | search Process= my_process
 | dedup Job_Typ 
 | eval Difference=strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S")
 | eval Timediff=tostring(Difference,"duration")
 | chart values(Difference) over Process by  Timediff
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply

j_r
Path Finder
‎12-10-2018 04:45 AM

Thanks for this, but unfortunately the result looks like this: alt text

i changed the line to:

| chart values(Difference) over _time by  Process

And result is this one.
alt text

Now the result is correct but how can i display the y axis as time (time format)?
If i replace "Difference" by "Timediff" the chart ist empty

0 Karma
Reply
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...