Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to eval calculate time since event?

michaeler
Communicator
‎02-28-2023 04:10 AM

I'm trying to add a "Downtime" field to my table. The timestamp on the event isn't reliable because it is when the issue was reported, not when it began so I had to extract the time from another field. This is a two-part question.

1. Is there a better, more simple way to get my "Downtime" variable. 

rex field=issue ".+(?P<S_Time>\d{4})[Z]\s(?P<S_Date>\d{2}\s[A-Z][a-z]{2})"
eval Issue_Began=S_Time. " ".S_Date." ".date_year       ```Output ex - 0654 27 Feb 2023```
eval StartTime=strftime(strptime(Issue_Began, "%H%M %d %B %Y"), "%m/%d/%Y %H:%M")
eval duration=now()-strptime(StartTime, "%m/%d/%Y %H:%M")
eval duration=tostring(duration,"duration")
rex field=duration "((?P<D>\d{1,2})\+)?(?P<H>\d{2}):(?P<M>\d{2})" ```Output ex - 1+05:16.51```
eval Downtime=D."D ".H."H ".M."M "

2. When a system is down for less than 24 hours, the Downtime field is blank, otherwise it will give me the expected result of "1D 05H 16M". How do I alter that eval to skip "D" if it is null? I'm assuming that's the issue because the field operates properly for all other events over 1 day long.

Answers to either question is greatly appreciated!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-28-2023 04:27 AM

The strptime() function should be able to extract the timestamp from the field

| rex field=issue ".+(?<timedate>\d{4}\s\d{2}\s[A-Z][a-z]{2})"
| eval Issue_Began=strptime(timedate." ".date_year,"%H%M %d %b %Y")

and use fillnull

| fillnull value=0 D

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-28-2023 04:32 AM

1. Please, paste your code in preformatted block or code block - it greatly improves readability. Also, you forgot the pipes between different commands. In this case it's pretty understandable where they should be but it's not always the case.

2. Don't overthink! If you have a timestamp in the unix timestamp format (number of seconds since epoch), there's no more convenient form! With such a numerical field you can easily calculate offsets, differences and such. Only at the final step of your process you should render this to a datetime string or duration string.

So just strptime() your time fields, calculate the difference and you're good. Doing strptime and strftime several times in a row doesn't help you - it just introduces more points where you can do something wrong (for example by specifying wrong time format) and is more CPU-expensive.

0 Karma
Reply
Solved! Jump to solution

michaeler
Communicator
‎02-28-2023 05:47 AM

1. That would make it easier but the Splunk instance I manage has no internet connectivity so I have to manually retype it over.

2. Good point, I felt like I was over complicating it

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-28-2023 04:27 AM

The strptime() function should be able to extract the timestamp from the field

| rex field=issue ".+(?<timedate>\d{4}\s\d{2}\s[A-Z][a-z]{2})"
| eval Issue_Began=strptime(timedate." ".date_year,"%H%M %d %b %Y")

and use fillnull

| fillnull value=0 D
Reply
Solved! Jump to solution

michaeler
Communicator
‎02-28-2023 05:54 AM

In the issue field the time is displayed as 0654Z 27 Feb. Will this still work? Thats the only reason I extracted the time and day/month separately.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-28-2023 06:14 AM

Sorry, I forgot the Z, try this

| rex field=issue ".+(?<time>\d{4})Z\s(?<date>\d{2}\s[A-Z][a-z]{2})"
| eval Issue_Began=strptime(time." ".date." ".date_year,"%H%M %d %b %Y")
0 Karma
Reply
Solved! Jump to solution

michaeler
Communicator
‎02-28-2023 06:10 AM

Nevermind. Just added %Z in the eval and it worked fine. Thanks for the help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...