Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

AddTotals for time

gnovak
Builder
‎12-04-2012 08:38 AM

I have a column called LoadTime that displays the amount of time it took for a transaction to take place. I'd like to add this column up and display it as a field called Total.

Example:

00:10:53
00:15:01
00:15:37
02:59:33

I'd like to take all these time values and have a Total amount of time it took in a field called Total. I've been playing around with some commands and still haven't quite figured out how to do this yet.

So far adding this to the end of my search makes a duration field, but it's a large number such as 212117.747682. 

| transaction maxspan=24h | eventstats sum(LoadTime) as "Total"

I've searched the forums but haven't found anything similar to what I am trying to do. Any ideas? I tried addtotals but this appears to be for a numerical value, not a time value.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-04-2012 08:46 AM

Convert your LoadTime to seconds, then do the sum, then convert back to hour:min:sec if needed.

see http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/convert

| transaction maxspan=24h | convert dur2sec(LoadTime) AS LoadTimeSec | eventstats sum(LoadTimeSec) as "TotalSec"

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-04-2012 08:46 AM

Convert your LoadTime to seconds, then do the sum, then convert back to hour:min:sec if needed.

see http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/convert

| transaction maxspan=24h | convert dur2sec(LoadTime) AS LoadTimeSec | eventstats sum(LoadTimeSec) as "TotalSec"

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-04-2012 11:00 AM

only one convert at a time, and they can have different formats.

try something like | convert timeformat="$h:$m"$s" dur2sec(fieldA) AS Asec | convert timeformat="$d $h:$m"$s" dur2sec(fieldB) AS Bsec

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-04-2012 09:25 AM

I wonder, can you convert another field as well and add it to this total? I tried | convert dur2sec(LoadTime) dur2sec(IndexEnd) AS LoadTimeSec but this didn't seem to work. Was going to try stretching the command out a bit more. I'm playing with it now. I have the general idea I just have to get the syntax correct. I appreciate your assistance. There's so many commands I always forget one!

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎12-04-2012 09:13 AM

My first method was to extract hh mm ss with the rex command, then use eval to normalize to seconds... But then I saw the dur2sec command 🙂

0 Karma
Reply
Solved! Jump to solution

gnovak
Builder
‎12-04-2012 08:51 AM

Ah, convert command. I tried using that one too but must have just used the wrong syntax. This eventually gave me what i was looking for: | transaction maxspan=24h | convert dur2sec(LoadTime) AS LoadTimeSec | eventstats sum(LoadTimeSec) as "TotalSec" | convert timeformat="%H:%M:%S" ctime(TotalSec) AS Total_Time. Thanks for sending me in the right direction...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...