How to add a lapsed time to a field's timestamp

MeMilo09 · ‎11-16-2021

Howdy,

Been researching on how to give time for the next sequential event to occur, but have not found a way. Lets say field X occurred and the next event to take place is field Y, but field Y is null if under 24 hrs give Length_of_Time in min once Y happens.

Issue is if its the same day and Y still has not occurred following X -- , give X 24 hours to happen from the time field Y happened before marking it as failure of error... So far this is what I have...

|  eval X = strptime(StartTime,"%Y-%m-%d %H:%M:%S.%q"),
 Y =strptime(EndTime,"%Y-%m-%d %H:%M:%S.%6N")

note: 86400 is 24 hrs in seconds 

| eval Length_of_Time = if(isNull(Y)AND Y-X < 86400 AND 86400<=X,round((X-Y)/60,0))

ITWhisperer · ‎11-16-2021

It is unclear to me what you are trying to achieve here - if Y is null, what are you expecting from any further calculations involving Y? Assuming StartTime is a timestamp field, X will probably always be greater than 86400. Assuming you do have actual datetimes in X and Y, the description would suggest that Y occurs after X, so X-Y will be negative.

Please can you clarify, perhaps with some real examples of the event you are dealing with?

MeMilo09 · ‎11-16-2021

Hi,

my bad for the confusion, I am temporary away from my work station and don’t have the actual code at the moment

Y can take upto 24 hours to show up after x - making it null until the 24 hours complete.

so I was thinking I could include a lapse of time of 24 hours after x took place.

How to add a lapsed time to a field's timestamp

eval

other

stats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor