Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duration with just days (2)

Oisin77
Explorer
‎12-04-2013 03:29 AM 
source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") |  eval d3=(d2-d1) | eval "diff_days"=tostring(d3,"duration") | rex field="diff_days" "(?<durationdays>^\d+)\+" | stats count(report) by diff_days

So even though I have it in the code, in statistics its not just the days are shown like its supposed to be, it has the + thing with hours, minutes, seconds, etc. Why is this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-04-2013 06:09 AM

Why don't you just divide the difference of dates with 86400 (equivalent to 1 day in sec).

source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") | eval diff_days=(d2-d1)/86400 | stats count(report) by diff_days

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-04-2013 06:09 AM

Why don't you just divide the difference of dates with 86400 (equivalent to 1 day in sec).

source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") | eval diff_days=(d2-d1)/86400 | stats count(report) by diff_days
Reply
Solved! Jump to solution

Oisin77
Explorer
‎12-04-2013 06:24 AM

Great, thanks a lot.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-04-2013 06:05 AM

You are using "diff_days" in your stats call rather than the "durationdays". Try this instead:

... | stats count(report) by durationdays

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...