Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my eval statements to find the difference between Start and Finish times and convert to a human readable format?

thoban
Explorer
‎06-09-2016 09:48 AM

I'm looking to show the duration of logons through VDI logs. I convert _time into something better for the Start and Finish Times, but I'm unable to evaluate the difference.

I have tried to convert the Splunk duration fields back to a "human" readable format, but I have not been successful.

EVAL Start_Time=strftime(if(EventType="AGENT_CONNECTED",_time,null()), "%H:%M:%S") | EVAL Finish_Time=strftime(if(EventType="AGENT_ENDED",_time,null()), "%H:%M:%S") | transaction UserDisplayName MachineName startswith="AGENT_CONNECTED" endswith="AGENT_ENDED" | EVAL Duration=Finish_Time-Start_Time | Table UserDisplayName MachineName Start_Time Finish_Time Duration
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2016 10:43 AM

Start_Time and Finish_Time are strings so you can't do math with them. To get the different between two timestamps, always use epoch form (what's passed in to strftime()). Something like this:

EVAL startTime=if(EventType="AGENT_CONNECTED",_time,null())| eval Start_Time=strftime(startTime, "%H:%M:%S") | EVAL finishTime=strftime(if(EventType="AGENT_ENDED",_time,null()), | eval Finish_Time=strftime(finishTime,"%H:%M:%S") | transaction UserDisplayName MachineName startswith="AGENT_CONNECTED" endswith="AGENT_ENDED" | EVAL Duration=finishTime-startTime | Table UserDisplayName MachineName Start_Time Finish_Time Duration
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2016 10:43 AM

Start_Time and Finish_Time are strings so you can't do math with them. To get the different between two timestamps, always use epoch form (what's passed in to strftime()). Something like this:

EVAL startTime=if(EventType="AGENT_CONNECTED",_time,null())| eval Start_Time=strftime(startTime, "%H:%M:%S") | EVAL finishTime=strftime(if(EventType="AGENT_ENDED",_time,null()), | eval Finish_Time=strftime(finishTime,"%H:%M:%S") | transaction UserDisplayName MachineName startswith="AGENT_CONNECTED" endswith="AGENT_ENDED" | EVAL Duration=finishTime-startTime | Table UserDisplayName MachineName Start_Time Finish_Time Duration
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

thoban
Explorer
‎06-09-2016 11:34 AM

I tried your suggestions with a change or two:

EVAL StartTime=if(EventType="AGENT_CONNECTED",_time,null()) | EVAL Start_Time=strftime(StartTime, "%H:%M:%S") | EVAL FinishTime=if(EventType="AGENT_ENDED",_time,null()) | EVAL Finish_Time=strftime(FinishTime, "%H:%M:%S") | transaction Start_Time Finish_TIME UserDisplayName MachineName startswith="AGENT_CONNECTED" OR "AGENT_RECONNECTED" endswith="AGENT_ENDED" | EVAL Duration=FinishTime-StartTime | Table UserDisplayName MachineName Start_Time Finish_Time Duration

I guess the duration is in seconds, but not truly usable.

Here is the output for example:

Start_Time Finish_Time Duration
13:55:40 14:09:12 812

11:20:49 13:48:58 8889

11:52:35 16:01:53 14958

11:40:48 15:17:07 12979

09:59:02 15:45:36 20794

09:42:48 14:58:08 18920

16:16:57 16:37:31 1234

11:58:54 13:45:29 6395

11:28:13 13:54:58 8805

09:10:04 15:15:16 21912

I then added this to see:

|  EVAL duration=FinishTime-StartTime | EVAL Duration=strftime(duration, "%H:%M:%S") |

The below durations seem to have correct minutes and seconds, but not hours.

Start_Time Finish_Time Duration
13:55:40 14:09:12 19:13:32

11:20:49 13:48:58 21:28:09

11:52:35 16:01:53 23:09:18

11:40:48 15:17:07 22:36:19

09:59:02 15:45:36 00:46:34

09:42:48 14:58:08 00:15:20

16:16:57 16:37:31 19:20:34

11:58:54 13:45:29 20:46:35

11:28:13 13:54:58 21:26:45

09:10:04 15:15:16 01:05:12

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-09-2016 11:40 AM

Use this as your last eval

| eval Duration=tostring(duration,"duration")
Reply
Solved! Jump to solution

thoban
Explorer
‎06-09-2016 12:19 PM

Exactly what was needed!
Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...