Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duration with just days (2)

Oisin77
Explorer
‎12-04-2013 03:29 AM 
source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") |  eval d3=(d2-d1) | eval "diff_days"=tostring(d3,"duration") | rex field="diff_days" "(?<durationdays>^\d+)\+" | stats count(report) by diff_days

So even though I have it in the code, in statistics its not just the days are shown like its supposed to be, it has the + thing with hours, minutes, seconds, etc. Why is this?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-04-2013 06:09 AM

Why don't you just divide the difference of dates with 86400 (equivalent to 1 day in sec).

source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") | eval diff_days=(d2-d1)/86400 | stats count(report) by diff_days

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-04-2013 06:09 AM

Why don't you just divide the difference of dates with 86400 (equivalent to 1 day in sec).

source="J:\\B6 Files\\Web Logs\\Vegas\\access_logs\\star.log" INFO star | rex field=_raw "INFO  (?<report>star)  - (?<username>.*) \| (?<month>[A-Za-z]+) (?<day>[0-9]+) (?<year>20[0-9]{2}) (?<time>.*) \| [A-Z]+ \| D \[RANGE\] (?<date1>[0-9]{8})-(?<date2>[0-9]{8})" | search username!="planitas" username!="antonio_rigon" | eval d1=strptime(date1, "%Y%m%d") | eval d2=strptime(date2, "%Y%m%d") | eval diff_days=(d2-d1)/86400 | stats count(report) by diff_days
Reply
Solved! Jump to solution

Oisin77
Explorer
‎12-04-2013 06:24 AM

Great, thanks a lot.

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎12-04-2013 06:05 AM

You are using "diff_days" in your stats call rather than the "durationdays". Try this instead:

... | stats count(report) by durationdays

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...