Basically just trying to add three time values together by doing this: eval total_time = queue_time + Duration + test_summary.duration
, but I am not getting any results. Any help?
Here you go
| makeresults
| eval current="10:00:00"
| eval c_time=strptime(current,"%H:%M:%S")
| eval duration=30
| eval total = c_time+duration
| convert ctime(total)
@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. queue_time
, Duration
and test_summary.duration
.
Since dot (.)
is used as string concatenation character for eval, you would need to escape the dot character present in the field name using single quotes in eval expression
.
<YourBaseSearchWithThreeFields>
| eval total_time = queue_time + Duration + 'test_summary.duration'
Following is a run anywhere example for the same:
| makeresults
| eval queue_time=5, Duration=4, test_summary.duration=7
| table queue_time Duration "test_summary.duration"
| eval total_time = queue_time + Duration + 'test_summary.duration'
Just attempted your solution and it seemed to just perform a string concatenation.
@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?
If run anywhere search is working and | eval total_time = queue_time + Duration + 'test_summary.duration'
is not working in your current search please add some sample data for the three fields and also mention the field names as is.
What happens when you print | table queue_time Duration "test_summary.duration"
. Are the fields showing values correctly?
Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! https://imgur.com/a/FfM0Q
@cdgill you need to convert the duration to epoch and later change it to human readable format
Hi @cdgill,
Can you please provide sample data for all three fields ?