Splunk Search

How to find elapsed time between now() and event?

_dave_b
Communicator

Hello. I am trying to find the amount time that has passed from the time and event occurred to the present (now()). I tried subtracting the time of the event from the current time, but I got an Epoch time value that gives me times in the 1970s. What conversions do I have to make to have Splunk tell me something happened 30 hours ago and not 30 years?

Thanks for your help

1 Solution

Richfez
SplunkTrust
SplunkTrust

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.

... | fieldformat timeField = tostring(timeField,"duration")

View solution in original post

sideview
SplunkTrust
SplunkTrust

Well you have the time of the event as _time field, and you can use now() in eval expressions, so you can make a field, let's call it secondsAgo, like so:

| eval secondsAgo=now() - _time

It is of course just a number of seconds. IF you were to do | convert ctime(secondsAgo), that would be weird because you're asking Splunk to tell you what time it would be if this number of seconds were defined as "the number of seconds since 1/1/1970 in GMT", which.... is generally a random time in 1970.

What you probably want to do after getting secondsAgo as an integer, is convert it to an "HH:MM:SS" duration string, like so:

| eval secondsAgo=now() - _time | eval durationStr=tostring(secondsAgo,"duration")

or if you prefer it in one eval expression,

| eval secondsAgoStr=tostring(now() - _time, "duration")

_dave_b
Communicator

Thanks! This is worthy of acceptance for the Answer, but rich7177 posted his Answer-acceptance worthy reply first, and therefore must get credit. I hope my grattitude will suffice in lieu of Karma points!

sideview
SplunkTrust
SplunkTrust

hehe. Sure no problem. He and I were writing our answers at the same time. Unaccepting answers and accepting others happens all the time but in this case they are both right so it matters little. Cheers.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.

... | fieldformat timeField = tostring(timeField,"duration")

_dave_b
Communicator

Thanks! I was not picking up on that important detail.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...