Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Duration determination
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Duration determination
Here is a sample of a connection that spans the midnight hour into the next day. I'm trying to extract a new field named duration that contains the difference between the connect and disconnect times in a human readable format
1547514148 2019-01-14 20:02:27 connect johndoe
1547530430 2019-01-15 00:33:49 disconnect johndoe
I've tried many different splunk commands such as stats, eval and transaction commands from many posts here but have been unsuccessful
Thanks in advance,
Robert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Robert,
I assume you have the fields _time, action (connect|disconnect) and username available; or named something similar.
If you are missing the _time field, then use the strptime() eval function to create it.
Now I suggest you use the transaction command as follows:
your base search
| transaction user startswith=(status="connect") endswith=(status="disconnect")
| eval duration=tostring(duration, "duration")
The transaction command will create the duration field.
The eval command will convert the duration from the number of seconds to the more human readable format HH:MM:SS.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked after I changed the field name status to action
status="connect") endswith=(status="disconnect") to this
action="connect") endswith=(action="disconnect")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (assuming user is the field that owns johndoe😞
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| streamstats count(searchmatch("disconnect")) AS sessionID BY user
| stats range(_time) AS duration BY sessionID user
And then maybe also
| eval duration = tostring(duration, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This generated the following error
Error in 'SearchProcessor': Mismatched quotes and/or parenthesis.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was missing a ). I updated my answer. Try it now, @roayers.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
