Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate age of event?

ednk
Explorer
‎04-26-2022 11:34 PM

Hi 

I have for each event the open_time and update_time,

I want to calculate the age of the event,

like: 

open_time               update_time           age

2022-03-26            2022-04-26            1m

2022-04-22            2022-04-26             4d

 

any idea ?

thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-27-2022 12:00 AM

@ednk 

You can use tostring function to get age sorta from days. 

Can you please try this?

| makeresults | eval _raw="open_time               update_time           age
2022-02-26            2022-04-26            1m
2022-04-22            2022-04-26             4d" 
| multikv forceheader=1
|table open_time update_time 
| rename comment as "Upto now is for sample data only" 
| eval open_time = strptime(open_time, "%Y-%m-%d") 
| eval update_time = strptime(update_time, "%Y-%m-%d") 
| eval field_in_secs= update_time - open_time
| eval string_dur=tostring(field_in_secs, "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Age=replace(formatted_dur, "^d (0h (0m )?)?","")

 

 Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

ednk
Explorer
‎05-02-2022 05:55 AM

@kamlesh_vaghela 

thank you, 

this is what I got.

how can I remove the seconds and milliseconds?

open_time update_time Age field_in_secs formatted_dur string_dur

1645826400.0000001650920400.00000058d 23h 0m 0s.0000005094000.00000058d 23h 0m 0s.00000058+23:00:00.000000
1650574800.0000001650920400.0000004d 0h 0m 0s.000000345600.0000004d 0h 0m 0s.0000004+00:00:00.000000
Tags (1)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-08-2022 09:54 PM

@ednk 

Please try this.

| makeresults | eval _raw="open_time               update_time           age
2022-02-26            2022-04-26            1m
2022-04-22            2022-04-26             4d" 
| multikv forceheader=1
|table open_time update_time 
| rename comment as "Upto now is for sample data only" 
| eval open_time = round(strptime(open_time, "%Y-%m-%d"))
| eval update_time = round(strptime(update_time, "%Y-%m-%d"))
| eval field_in_secs= update_time - open_time
| eval string_dur=tostring(field_in_secs, "duration")
| eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s")
| eval Age=replace(formatted_dur, "^d (0h (0m )?)?","")

 

KV

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...