Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval Epoch Duration Time into Human Readable Format

migullmills
Explorer
‎12-19-2019 03:50 PM

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch time, and if I make changes to time using eval strftime, it negates the duration. 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

If I add 

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" | eval time=strftime(_time,"%x %r") | stats earliest(eval(if(EventCode=4624, time, null()))) as Logon latesteval(eval(if(EventCode=4634, time, null()))) as Logoff by AccountName | eval duration=Logoff-Logon

it converts the Logon and Logoff, but the duration field comes up blank. I am assuming its due to duration not being able to compute the modified time format.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2019 02:59 AM

Like this:

index="indexhere" AND (EventCode="4624" OR EventCode="4634") AND AccountName="*"
| stats min(_time) AS Logon max(_time) AS Logoff range(_time) AS duration BY AccountName
| fieldformat Logon = strftime(Logon, "%x %r")
| fieldformat Logoff = strftime(Logoff, "%x %r")
| fieldformat duration = tostring(duration, "duration")
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2019 08:42 PM

@migullmills

Yes, _time gives numeric values (epoch time ) in Logon and Logoff so you can do mathematical operation. like | eval duration=Logoff-Logon.

| eval time=strftime(_time,"%x %r").

strftime gives you human readable string so mathematical operation will return null here.

So here I suggest you to use first search,

Index=indexhere EventCode=4624 OR EventCode=4634 AccountName="*" 
| stats earliest(eval(if(EventCode=4624, _time, null()))) as Logon latesteval(eval(if(EventCode=4634, _time, null()))) as Logoff by AccountName 
| eval duration=Logoff-Logon

If you want duration field in human readable format then try by adding below search block.

|eval myduration=tostring(duration,"duration")

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...