Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I convert epoch time to HH:MM:SS?

mjd555
Path Finder
‎11-11-2015 03:26 AM

Background

So I have two date fields - Date_Created & Acknowledge_Date both in the format YYYY-MM-DD HH:MM:SS. I wish to work out the difference of these two times and then create an average of all the results - essentially this -> Average(Acknowledge_Date-Date_Created)

Search
I have created the following search. This has converted the times to epoch, subtracted them, and provided an average of the epoch time.

 index="Cyber" sourcetype=Response queue = "Incident" status ="resolved"  | dedup ticket

    | table Date_Created, Acknowledge_Date 
    | eval epoch1=strptime(Date_Created,"%Y-%m-%d %H:%M:%S") 
    | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Date_Created) as epochDateCreated
    | eval epoch2=strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S")
    | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Acknowledge_Date) as epochAck
    | eval Diff=(epochAck-epochDateCreated)

    |stats avg(Diff)

Problem
I now have an average number in epoch format - 5848.333333 - is there a way to convert this into HH:MM:SS

Any help will be much appreciated

0 Karma
Reply

tmccamant
Explorer
‎11-11-2015 10:49 AM

If you wanted to look at the average time in hours that an incident ticket was open you could use this search

index="Cyber" sourcetype=Response queue="Incident" status="resolved" 
| dedup ticket  
| eval Diff=floor(((strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S"))-(strptime(Date_Created,"%Y-%m-%d %H:%M:%S")))/(3600)) 
| stats avg(Diff)

Let me know if this works for you.

0 Karma
Reply

mjd555
Path Finder
‎11-12-2015 01:42 AM

Hi tmccamant,

Afraid this hasn't worked as it has left me with the result of -15.208333

Any other ideas will be greatly appreciated

0 Karma
Reply

DMohn
Motivator
‎11-11-2015 05:27 AM

Your command would be 

 | eval DiffTime=strftime(Diff, "%H:%M:%S")
0 Karma
Reply

mjd555
Path Finder
‎11-11-2015 05:31 AM

Hi DMohn. | eval DiffTime=strftime(Diff, "%H:%M:%S") helps me convert the epoch time to the format I want. However I cannot appear to get | stats avg(DiffTime) when it is in this format.

I also cannot use |stats avg(Diff) before making the conversion.

Is there a solution to this?

0 Karma
Reply

gyslainlatsa
Motivator
‎11-11-2015 04:53 AM

hi mjd555,

try following this link http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/CommonEvalFunctions
and look the function strftime(X,Y)

Reply

mjd555
Path Finder
‎11-11-2015 05:27 AM

Hi Gyslainlatsa, thanks for your help. However once I have added strftime to the code, I cannot average my results.

I also cannot use | stats avg(Diff) before making my conversion.

Is there a solution to this?

0 Karma
Reply

mjd555
Path Finder
‎11-11-2015 05:20 AM

Hi gyslainlatsa, so I strftime has helped me see the time difference in HH:MM:SS - however I cannot avg these results. Is there a way to do this? Thanks again!

 index="Cyber" sourcetype=Response queue = "Incident" status ="resolved"  | dedup ticket

         | table Date_Created, Acknowledge_Date 
         | eval epoch1=strptime(Date_Created,"%Y-%m-%d %H:%M:%S") 
         | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Date_Created) as epochDateCreated
         | eval epoch2=strptime(Acknowledge_Date,"%Y-%m-%d %H:%M:%S")
         | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(Acknowledge_Date) as epochAck
         | eval epochDiff=(epochAck-epochDateCreated)
         | eval normalDiff=strftime(epochDiff, "%H:%M:%S")
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...