Solved: How to correct the time in the "elapsed_Time" fiel...

saurabhbdwj · ‎06-01-2022

index="SOMETHING" earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time= action_EndTime - action_StartTime
| convert ctime(action_StartTime) ctime(action_EndTime) ctime(elapsed_Time)
| fields + action_StartTime action_EndTime elapsed_Time
| sort by action_StartTime

The elapsed_Time is wrong, how can i make it correct?

gcusello · ‎06-01-2022

Hi @saurabhbdwj,

elapsed time is a difference between two dates in epochtime, so you cannot display it in date format, you should display it in seconds or in duration:

index="SOMETHING"  earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time=tostring(action_EndTime-action_StartTime,"duration")
| convert ctime(action_StartTime) ctime(action_EndTime) 
| table action_StartTime action_EndTime elapsed_Time 
| sort by action_StartTime

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-01-2022

Hi @saurabhbdwj,

elapsed time is a difference between two dates in epochtime, so you cannot display it in date format, you should display it in seconds or in duration:

index="SOMETHING"  earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time=tostring(action_EndTime-action_StartTime,"duration")
| convert ctime(action_StartTime) ctime(action_EndTime) 
| table action_StartTime action_EndTime elapsed_Time 
| sort by action_StartTime

Ciao.

Giuseppe

saurabhbdwj · ‎06-02-2022

Hi @gcusello
This works exactly the way i want. Thank you for you help.

How to correct the time in the "elapsed_Time" field?

eval

stats

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?