Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add time values together in search query?

cdgill
Explorer
‎01-30-2018 06:05 AM

Basically just trying to add three time values together by doing this: eval total_time = queue_time + Duration + test_summary.duration, but I am not getting any results. Any help?

Tags (1)
0 Karma
Reply

ssadanala1
Contributor
‎01-30-2018 11:59 AM

Here you go

| makeresults
| eval current="10:00:00"
| eval c_time=strptime(current,"%H:%M:%S")
| eval duration=30
| eval total = c_time+duration
| convert ctime(total)

0 Karma
Reply

niketn
Legend
‎01-30-2018 08:19 AM

@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. queue_time, Duration and test_summary.duration.

Since dot (.) is used as string concatenation character for eval, you would need to escape the dot character present in the field name using single quotes in eval expression.

<YourBaseSearchWithThreeFields>
| eval total_time = queue_time + Duration + 'test_summary.duration'

Following is a run anywhere example for the same:

| makeresults
| eval queue_time=5, Duration=4, test_summary.duration=7
| table queue_time Duration "test_summary.duration"
| eval total_time = queue_time + Duration + 'test_summary.duration'
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cdgill
Explorer
‎01-30-2018 10:45 AM

Just attempted your solution and it seemed to just perform a string concatenation.

0 Karma
Reply

niketn
Legend
‎01-30-2018 12:01 PM

@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?

If run anywhere search is working and | eval total_time = queue_time + Duration + 'test_summary.duration' is not working in your current search please add some sample data for the three fields and also mention the field names as is.

What happens when you print | table queue_time Duration "test_summary.duration". Are the fields showing values correctly?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

cdgill
Explorer
‎01-30-2018 12:04 PM

Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! https://imgur.com/a/FfM0Q

0 Karma
Reply

ssadanala1
Contributor
‎01-30-2018 12:11 PM

@cdgill you need to convert the duration to epoch and later change it to human readable format

0 Karma
Reply

harsmarvania57
Ultra Champion
‎01-30-2018 07:50 AM

Hi @cdgill,

Can you please provide sample data for all three fields ?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...