Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add time values together in search query?

cdgill
Explorer
‎01-30-2018 06:05 AM

Basically just trying to add three time values together by doing this: eval total_time = queue_time + Duration + test_summary.duration, but I am not getting any results. Any help?

Tags (1)
0 Karma
Reply

ssadanala1
Contributor
‎01-30-2018 11:59 AM

Here you go

| makeresults
| eval current="10:00:00"
| eval c_time=strptime(current,"%H:%M:%S")
| eval duration=30
| eval total = c_time+duration
| convert ctime(total)

0 Karma
Reply

niketn
Legend
‎01-30-2018 08:19 AM

@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. queue_time, Duration and test_summary.duration.

Since dot (.) is used as string concatenation character for eval, you would need to escape the dot character present in the field name using single quotes in eval expression.

<YourBaseSearchWithThreeFields>
| eval total_time = queue_time + Duration + 'test_summary.duration'

Following is a run anywhere example for the same:

| makeresults
| eval queue_time=5, Duration=4, test_summary.duration=7
| table queue_time Duration "test_summary.duration"
| eval total_time = queue_time + Duration + 'test_summary.duration'
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cdgill
Explorer
‎01-30-2018 10:45 AM

Just attempted your solution and it seemed to just perform a string concatenation.

0 Karma
Reply

niketn
Legend
‎01-30-2018 12:01 PM

@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?

If run anywhere search is working and | eval total_time = queue_time + Duration + 'test_summary.duration' is not working in your current search please add some sample data for the three fields and also mention the field names as is.

What happens when you print | table queue_time Duration "test_summary.duration". Are the fields showing values correctly?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cdgill
Explorer
‎01-30-2018 12:04 PM

Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! https://imgur.com/a/FfM0Q

0 Karma
Reply

ssadanala1
Contributor
‎01-30-2018 12:11 PM

@cdgill you need to convert the duration to epoch and later change it to human readable format

0 Karma
Reply

harsmarvania57
Ultra Champion
‎01-30-2018 07:50 AM

Hi @cdgill,

Can you please provide sample data for all three fields ?

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...