Splunk Search

How to add time values together in search query?

cdgill
Explorer

Basically just trying to add three time values together by doing this: eval total_time = queue_time + Duration + test_summary.duration, but I am not getting any results. Any help?

Tags (1)
0 Karma

ssadanala1
Contributor

Here you go

| makeresults
| eval current="10:00:00"
| eval c_time=strptime(current,"%H:%M:%S")
| eval duration=30
| eval total = c_time+duration
| convert ctime(total)

0 Karma

niketn
Legend

@cdgill, make sure that the three field names are correct and have same case as field names are case sensitive i.e. queue_time, Duration and test_summary.duration.

Since dot (.) is used as string concatenation character for eval, you would need to escape the dot character present in the field name using single quotes in eval expression.

<YourBaseSearchWithThreeFields>
| eval total_time = queue_time + Duration + 'test_summary.duration'

Following is a run anywhere example for the same:

| makeresults
| eval queue_time=5, Duration=4, test_summary.duration=7
| table queue_time Duration "test_summary.duration"
| eval total_time = queue_time + Duration + 'test_summary.duration'
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cdgill
Explorer

Just attempted your solution and it seemed to just perform a string concatenation.

0 Karma

niketn
Legend

@cdgill, have you tried the run anywhere search above? Are you not getting the total_time as 16?

If run anywhere search is working and | eval total_time = queue_time + Duration + 'test_summary.duration' is not working in your current search please add some sample data for the three fields and also mention the field names as is.

What happens when you print | table queue_time Duration "test_summary.duration". Are the fields showing values correctly?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

cdgill
Explorer

Here's an image which shows my table along with my search query. I appreciate the help, I'm very new and lost when it comes to Splunk! https://imgur.com/a/FfM0Q

0 Karma

ssadanala1
Contributor

@cdgill you need to convert the duration to epoch and later change it to human readable format

0 Karma

harsmarvania57
Ultra Champion

Hi @cdgill,

Can you please provide sample data for all three fields ?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...