Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find elapsed time between now() and event?

_dave_b
Communicator
‎11-06-2015 02:03 PM

Hello. I am trying to find the amount time that has passed from the time and event occurred to the present (now()). I tried subtracting the time of the event from the current time, but I got an Epoch time value that gives me times in the 1970s. What conversions do I have to make to have Splunk tell me something happened 30 hours ago and not 30 years?

Thanks for your help

Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-06-2015 02:18 PM

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs. 

... | fieldformat timeField = tostring(timeField,"duration")

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-06-2015 02:20 PM

Well you have the time of the event as _time field, and you can use now() in eval expressions, so you can make a field, let's call it secondsAgo, like so: 

| eval secondsAgo=now() - _time

It is of course just a number of seconds. IF you were to do | convert ctime(secondsAgo), that would be weird because you're asking Splunk to tell you what time it would be if this number of seconds were defined as "the number of seconds since 1/1/1970 in GMT", which.... is generally a random time in 1970.

What you probably want to do after getting secondsAgo as an integer, is convert it to an "HH:MM:SS" duration string, like so: 

| eval secondsAgo=now() - _time | eval durationStr=tostring(secondsAgo,"duration")

or if you prefer it in one eval expression, 

| eval secondsAgoStr=tostring(now() - _time, "duration")
Reply
Solved! Jump to solution

_dave_b
Communicator
‎11-06-2015 02:46 PM

Thanks! This is worthy of acceptance for the Answer, but rich7177 posted his Answer-acceptance worthy reply first, and therefore must get credit. I hope my grattitude will suffice in lieu of Karma points!

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-06-2015 03:30 PM

hehe. Sure no problem. He and I were writing our answers at the same time. Unaccepting answers and accepting others happens all the time but in this case they are both right so it matters little. Cheers.

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-06-2015 02:18 PM

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs. 

... | fieldformat timeField = tostring(timeField,"duration")
Reply
Solved! Jump to solution

_dave_b
Communicator
‎11-06-2015 02:41 PM

Thanks! I was not picking up on that important detail.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...