Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I represent a time difference by changing the time format?

j_r
Path Finder
‎12-06-2018 09:03 AM

hello all together,

I'm new to Splunk and I have this problem:

i want to represent a time difference and I already have the right search commands.

Unfortunately, the formatting doesn't work yet.

I want to display the difference in minutes. But, at the moment, 2 hours are added to the results (see picture).
Example: The first line. The result in TimeDiff should be 00:10:35 and not 02:10:35.

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

renjith_nair
Legend
‎12-06-2018 10:35 AM

@j_r,

Timediff is calulated in seconds.

Try this

|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")

Verified with:

    |makeresults|eval start="10:13:48",ende="10:24:23"
    |eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
Happy Splunking!
Reply

j_r
Path Finder
‎12-07-2018 12:36 AM

Thanks @renjith.nair 🙂

I would like to plot this time difference for a chosen process in a (time)chart. The Y-Axis should represent the time difference (Timediff) and the X-Axis the name of the Process.

base search
| search Process= my_process
| dedup Job_Typ 
| eval start = strptime(Startzeit, "%H:%M:%S")  
| eval ende = strptime(Endezeit, "%H:%M:%S")  
| eval Timediff=ende-start 
| eval start= strftime(start,"%H:%M:%S") 
| eval ende= strftime(ende,"%H:%M:%S") 
|eval Timediff=tostring(strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S"),"duration")
| table  start ende Timediff Process

i tried with | chart values(Timediff) by Process but the chart was empty.

0 Karma
Reply

nagarjuna280
Communicator
‎12-08-2018 04:53 PM

try this
| stats sum(timediff) by process _time
OR | chart values(timediff) over _time by process

Reply

j_r
Path Finder
‎12-10-2018 04:48 AM

The second one worked. But the y axis is now as epoch time. How can i format it to "normal" time?

0 Karma
Reply

nagarjuna280
Communicator
‎01-03-2019 07:06 PM

add |convert ctime(_time) at the end

0 Karma
Reply

renjith_nair
Legend
‎12-08-2018 04:42 PM

@j_r, thats because TimeDiff is a string.

Try this

base search
 | search Process= my_process
 | dedup Job_Typ 
 | eval Difference=strptime(ende,"%H:%M:%S")-strptime(start,"%H:%M:%S")
 | eval Timediff=tostring(Difference,"duration")
 | chart values(Difference) over Process by  Timediff
Happy Splunking!
Reply

j_r
Path Finder
‎12-10-2018 04:45 AM

Thanks for this, but unfortunately the result looks like this: alt text

i changed the line to:

| chart values(Difference) over _time by  Process

And result is this one.
alt text

Now the result is correct but how can i display the y axis as time (time format)?
If i replace "Difference" by "Timediff" the chart ist empty

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...