Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate working hours between start and end DateTime

kenchisho
Path Finder
‎08-02-2012 08:00 AM

I am trying to build a working hours report with splunk...

I have a start date and an end date like so:

start_time
2012-07-03 12:56:07

end_time
2012-07-14 16:30:22

calculating calendar hours is simple but how do i get working hours?

any ideas?

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-05-2012 09:48 AM

you can convert your time to epochtime, ft not already done or use the splunk timestamp (in _time as epoch time)
if you want other time calculations, use eval.

see http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Convert

mysearch_for_my_task 
| convert timeformat="%Y-%M-%d %H:%M:%S" start_second=mktime(start_time) AS start_second
| convert timeformat="%Y-%M-%d %H:%M:%S" start_second=mktime(end_time) AS end_second
| eval duration_second=end_second-start_second
| eval duration_hour=round(duration_second/360,0)
| table duration_hour

if the timestamp is the timestamp of the event, you can try a transaction



mysearch | transaction mycommonfield startswith="keyword1" endswith="keyword2" 

| table mycommonfield _time duration

or use stats


mysearch | stats first(_time) AS recent last(_time) AS oldest by mycommonfield 

| eval duration_second=recent-oldest 

| eval duration_second=end_second-start_second

| eval duration_hour=round(duration_second/360,0)

| table mycommonfield duration_hour

0 Karma
Reply

kenchisho
Path Finder
‎08-03-2012 02:20 AM

well the number of working hours between the start_time and end_time

for example i start working on a task at 09:00 AM on monday and finish at 13:00 PM on wednesday... i wish to count the number of working hours on the task...

0 Karma
Reply

Ayn
Legend
‎08-02-2012 10:01 AM

What do you mean by "calculating" hours?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...