Hi,
I wasn't aware start and end time could span more than 1 day so I have reviewed my answer from 2016 and proposed the following for you:
| eval start_time_epoch = strptime(reported_time,"%b %d %Y %H:%M:%S")
| eval start_time_second = strftime(start_time_epoch,"%S")
| eval start_time_epoch_rounded = start_time_epoch - start_time_second
| fields - start_time_epoch, start_time_second
| eval close_time_epoch = strptime(processed_time,"%b %d %Y %H:%M:%S")
| eval close_time_second = strftime(close_time_epoch,"%S")
| eval close_time_epoch_rounded = close_time_epoch - close_time_second
| fields - close_time_epoch, close_time_second
| eval minute = mvrange(0, (close_time_epoch_rounded - start_time_epoch_rounded), 60)
| mvexpand minute
| eval _time = start_time_epoch_rounded + minute
| eval myHour = strftime(_time,"%H")
| eval myMinute = strftime(_time,"%H")
| eval myDay = strftime(_time,"%A")
| where myDay != "Saturday" AND myDay != "Sunday" AND (myHour >= 13 OR myHour < 1)
| stats count as durationInMinutes by reported_time, processed_time
| eval duration = tostring(durationInMinutes*60, "duration")
And it seems to work fine in calculating the duration up to the minute:
Let me know if that works. If not please provide examples (text always better than screenshots).
Hi @javiergn ,
Thanks for your efforts! really appreciated. Some of the results look ok but others not really. For example look at this one (ticket on the left, omitted in the screenshot)
here's my current query:
| eval start=strptime(reported_time,"%b %d %Y %H:%M:%S")
| eval end=strptime(processed_time,"%b %d %Y %H:%M:%S")
| eval startAt1pm = relative_time(start, "@d+13h")
| eval endAt1am = relative_time(end, "@d+1h")
| eval newStart = if(start > startAt1pm, start, startAt1pm)
| eval newEnd = if(end < endAt1am, end, endAt1am)
| eval durationInSecs = newEnd - newStart
| eval durationHours = floor(durationInSecs/3600)
| eval durationMins = floor((durationInSecs - (durationHours*3600))/60)
| eval durationString = if(durationHours<10, "0" . toString(durationHours), toString(durationHours)) . ":" . if(durationMins<10, "0" . toString(durationMins), toString(durationMins)) |eval SLO=if(durationInMinutes>60,"SLO Fail","SLO Achieved")
| stats first(durationString) as durationString by ticket, reported_time, processed_time,SLO
| sort by - durationString
thank you,
Wheresmydata
Hi,
I wasn't aware start and end time could span more than 1 day so I have reviewed my answer from 2016 and proposed the following for you:
| eval start_time_epoch = strptime(reported_time,"%b %d %Y %H:%M:%S")
| eval start_time_second = strftime(start_time_epoch,"%S")
| eval start_time_epoch_rounded = start_time_epoch - start_time_second
| fields - start_time_epoch, start_time_second
| eval close_time_epoch = strptime(processed_time,"%b %d %Y %H:%M:%S")
| eval close_time_second = strftime(close_time_epoch,"%S")
| eval close_time_epoch_rounded = close_time_epoch - close_time_second
| fields - close_time_epoch, close_time_second
| eval minute = mvrange(0, (close_time_epoch_rounded - start_time_epoch_rounded), 60)
| mvexpand minute
| eval _time = start_time_epoch_rounded + minute
| eval myHour = strftime(_time,"%H")
| eval myMinute = strftime(_time,"%H")
| eval myDay = strftime(_time,"%A")
| where myDay != "Saturday" AND myDay != "Sunday" AND (myHour >= 13 OR myHour < 1)
| stats count as durationInMinutes by reported_time, processed_time
| eval duration = tostring(durationInMinutes*60, "duration")
And it seems to work fine in calculating the duration up to the minute:
Let me know if that works. If not please provide examples (text always better than screenshots).
