Solved: How to correct the time in the "elapsed_Time" fiel...

saurabhbdwj · ‎06-01-2022

index="SOMETHING" earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time= action_EndTime - action_StartTime
| convert ctime(action_StartTime) ctime(action_EndTime) ctime(elapsed_Time)
| fields + action_StartTime action_EndTime elapsed_Time
| sort by action_StartTime

The elapsed_Time is wrong, how can i make it correct?

gcusello · ‎06-01-2022

Hi @saurabhbdwj,

elapsed time is a difference between two dates in epochtime, so you cannot display it in date format, you should display it in seconds or in duration:

index="SOMETHING"  earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time=tostring(action_EndTime-action_StartTime,"duration")
| convert ctime(action_StartTime) ctime(action_EndTime) 
| table action_StartTime action_EndTime elapsed_Time 
| sort by action_StartTime

Ciao.

Giuseppe

View solution in original post

gcusello · ‎06-01-2022

Hi @saurabhbdwj,

elapsed time is a difference between two dates in epochtime, so you cannot display it in date format, you should display it in seconds or in duration:

index="SOMETHING"  earliest=-30d@d
| stats earliest(_time) as action_StartTime latest(_time) as action_EndTime
| eval elapsed_Time=tostring(action_EndTime-action_StartTime,"duration")
| convert ctime(action_StartTime) ctime(action_EndTime) 
| table action_StartTime action_EndTime elapsed_Time 
| sort by action_StartTime

Ciao.

Giuseppe

saurabhbdwj · ‎06-02-2022

Hi @gcusello
This works exactly the way i want. Thank you for you help.

How to correct the time in the "elapsed_Time" field?

eval

stats

Your summer travels continue with new course releases

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

ATTENTION!! We’re MOVING (not really)

Are you a member of the Splunk Community?