Solved: Re: How to find ELAPSED Time entries greater than ...

umithchada · ‎03-18-2022

Hello,

I am trying to find the list of elapsed time over a specific time using our os process sourcetype.

Looks something like this

index=os sourcetype=ps host=* COMMAND=*
| where ELAPSED > "12:59:59"
| table COMMAND ELAPSED _time

But for some reason, the ELAPSED time is still displaying values under this time.

If the ELAPSED Time goes over a day, I am able to filter that out with the where command.

Example:

| where ELAPSED > "60-12:59:59"
| table COMMAND ELAPSED _time

-> Output will give me the results which are older than 60 days, 12:59:59 hours.

johnhuang · ‎03-18-2022

Convert elapsed time into seconds and then filter.

| rex field=ELAPSED "((?<dd>\d+)\-?)((?<hh>\d+)\:?)((?<mm>\d+)\:)?(?<ss>\d+)$"
| eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss)
| where elapsed_secs>46799

View solution in original post

johnhuang · ‎03-18-2022

Convert elapsed time into seconds and then filter.

| rex field=ELAPSED "((?<dd>\d+)\-?)((?<hh>\d+)\:?)((?<mm>\d+)\:)?(?<ss>\d+)$"
| eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss)
| where elapsed_secs>46799

umithchada · ‎03-18-2022

Thanks, this worked for me,

Looks like for data sets below 1 day, we will have to convert to seconds to get accurate filtering.

ITWhisperer · ‎03-18-2022

Do you have ELAPSED_Time as a value in seconds rather than a string?

umithchada · ‎03-18-2022

The value was of ELAPSED was like "05:00:00" .

How to find ELAPSED Time entries greater than a particular amount.

table

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform