Splunk Search

## Calculate time delta

Engager

Hi Guys,

I'd like to calculate the time delta. Here is the sample:

_time                                    _raw

2021-5-26 00:00:00      port is down

2021-5-26 00:02:20      port is up

2021-5-26 00:05:00      port is down

2021-5-26 00:10:05      port is up

May I know how to calculate each downtime and sort by '_time' ? Thanks.

What I'd like to see:

_time                                    downtime

2021-5-26 00:00:00      02:20

2021-5-26 00:05:00      05:05

Labels (2)

• ### timechart

1 Solution
SplunkTrust

``````YOUR_SEARCH
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

My Sample Search :

``````| makeresults
| eval _raw="time    raw
2021-5-26T00:00:00  port is not operational
2021-5-26T00:02:20  port is operational
2021-5-26T00:05:00  port is not operational
2021-5-26T00:10:05  port is operational"
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw
| sort - _time
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

SplunkTrust

``````YOUR_SEARCH
| rex field=_raw "port is (?<status>\w*)"
| transaction startswith="down" endswith="up"
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

My Sample Code:

``````| makeresults
| eval _raw="time    raw
2021-5-26T00:00:00  port is down
2021-5-26T00:02:20  port is up
2021-5-26T00:05:00  port is down
2021-5-26T00:10:05  port is up"
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw
| sort - _time
| rex field=_raw "port is (?<status>\w*)"
| transaction startswith="down" endswith="up"
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Engager

Excellent! Appreciate!

Just a more quick question:

How to fill startswith and endswith for below sample:

time                                    raw

2021-5-26T00:00:00  port is not operational

2021-5-26T00:02:20  port is operational

2021-5-26T00:05:00  port is not operational

2021-5-26T00:10:05  port is operational

SplunkTrust
``startswith="not operational" endswith="is operational"``
Engager

I have tried that previously. Not working...

SplunkTrust

``````YOUR_SEARCH
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

My Sample Search :

``````| makeresults
| eval _raw="time    raw
2021-5-26T00:00:00  port is not operational
2021-5-26T00:02:20  port is operational
2021-5-26T00:05:00  port is not operational
2021-5-26T00:10:05  port is operational"
| eval _time=strptime(time,"%Y-%m-%dT%H:%M:%S"), _raw=raw
| sort - _time
| rex field=_raw "port is (?<status>.*)"
| transaction startswith=(status="not operational") endswith=(status="operational")
| eval downtime=tostring(duration,"duration")
|table _time downtime
|sort _time``````

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Get Updates on the Splunk Community!