Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate age of event?

ednk
Explorer
‎04-26-2022 11:34 PM

Hi 

I have for each event the open_time and update_time,

I want to calculate the age of the event,

like: 

open_time               update_time           age

2022-03-26            2022-04-26            1m

2022-04-22            2022-04-26             4d

 

any idea ?

thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-27-2022 12:00 AM

@ednk 

You can use tostring function to get age sorta from days. 

Can you please try this?

| makeresults | eval _raw="open_time               update_time           age
2022-02-26            2022-04-26            1m
2022-04-22            2022-04-26             4d" 
| multikv forceheader=1
|table open_time update_time 
| rename comment as "Upto now is for sample data only" 
| eval open_time = strptime(open_time, "%Y-%m-%d") 
| eval update_time = strptime(update_time, "%Y-%m-%d") 
| eval field_in_secs= update_time - open_time
| eval string_dur=tostring(field_in_secs, "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Age=replace(formatted_dur, "^d (0h (0m )?)?","")

 

 Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

ednk
Explorer
‎05-02-2022 05:55 AM

@kamlesh_vaghela 

thank you, 

this is what I got.

how can I remove the seconds and milliseconds?

open_time update_time Age field_in_secs formatted_dur string_dur

1645826400.0000001650920400.00000058d 23h 0m 0s.0000005094000.00000058d 23h 0m 0s.00000058+23:00:00.000000
1650574800.0000001650920400.0000004d 0h 0m 0s.000000345600.0000004d 0h 0m 0s.0000004+00:00:00.000000
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-08-2022 09:54 PM

@ednk 

Please try this.

| makeresults | eval _raw="open_time               update_time           age
2022-02-26            2022-04-26            1m
2022-04-22            2022-04-26             4d" 
| multikv forceheader=1
|table open_time update_time 
| rename comment as "Upto now is for sample data only" 
| eval open_time = round(strptime(open_time, "%Y-%m-%d"))
| eval update_time = round(strptime(update_time, "%Y-%m-%d"))
| eval field_in_secs= update_time - open_time
| eval string_dur=tostring(field_in_secs, "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Age=replace(formatted_dur, "^d (0h (0m )?)?","")

 

KV

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...