Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate difference between 2 times in minutes

jip31
Motivator
‎04-22-2022 09:42 AM

Hi

I need to count time events between now() and now() - 10 minutes

Something like this :

eval delta =now() - 10 minutes 

Couleur you help please ?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-22-2022 10:45 AM

Your stats command is not syntactically correct so it will not work anyway. But that's another problem.

The most important thing is that whenever you can, limit your events as early as you can. And time limiting is the most effective way to speed up your search. So it's way more effective to do a search for last 15 minutes and calculate something from that set of data than running a search over "All time" only to limit the results in the last step.

But sometimes of course limiting results by some time-related field is desirable.

In general, when working with timestamps in Splunk, unless you're doing some very unusual magic, you manipulate so called epoch or unix timestamps - numbers containing numbers of seconds since midnight Jan 1st 1970. So it's only natural to think in seconds when doing any timestamp manipulation comparison.

So you usually do it like this - if you want only those results in which a, let's say, start_time field is between 2 and 3 days ago you simply add

| where start_time>now() - 3*86400 AND start_time<now() - 2*86400

Of course you must have the field start_time as the numerical unix timestamp so if needed you have to parse your event's field with strptime()

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-22-2022 09:44 AM

But it's a constant 600 seconds. Where's the catch? 🙂

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-22-2022 10:00 AM

 

I dont need to convert now() in minutes?

And how to apply it in my search

Like this?

| stats dc(x) where delta < 10

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-22-2022 10:45 AM

Your stats command is not syntactically correct so it will not work anyway. But that's another problem.

The most important thing is that whenever you can, limit your events as early as you can. And time limiting is the most effective way to speed up your search. So it's way more effective to do a search for last 15 minutes and calculate something from that set of data than running a search over "All time" only to limit the results in the last step.

But sometimes of course limiting results by some time-related field is desirable.

In general, when working with timestamps in Splunk, unless you're doing some very unusual magic, you manipulate so called epoch or unix timestamps - numbers containing numbers of seconds since midnight Jan 1st 1970. So it's only natural to think in seconds when doing any timestamp manipulation comparison.

So you usually do it like this - if you want only those results in which a, let's say, start_time field is between 2 and 3 days ago you simply add

| where start_time>now() - 3*86400 AND start_time<now() - 2*86400

Of course you must have the field start_time as the numerical unix timestamp so if needed you have to parse your event's field with strptime()

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-22-2022 10:29 AM

@jip31 - Is there a reason why you cannot use timerange as last 10 minutes only?

Is there any specific reason you want to use it in the search to calculate and filter by delta?

Can you please explain the requirement bit more?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎04-22-2022 11:17 AM

Hi

Yes because I already use an earliest and latest command in my search in ordre to filmer events between 7h and 18h

So in this slot of time only i need to count events which only existe sin ce 10 minutes or less

0 Karma
Reply
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...