Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

sandeep2679
New Member
‎10-31-2017 04:15 AM

Hello,

I am trying to calculate difference between
Disconnected_time Duration
Oct 19 10:35:54 1d 0h:00m:05s

Oct 19 10:35:54 3h:29m:09s
I want to get
Connected_time = disconncted_time - Duration

0 Karma
Reply

alemarzu
Motivator
‎11-02-2017 06:16 AM

Hi there @sandeep2679

This is not the most elegant solution but it might work.

base search ...
| rex "\d{2}:\d{2}:\d{2}\s(?<day>\d+)d\s[hms:\d]+"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<hour>\d+)[hms:\d]"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<min>\d+)m:\d+s"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<sec>\d+)s"
| eval 2sec_day=(day*86400)
| eval 2sec_hourmin=(hour*3600) + (min*60) + sec
| table _time 2sec_*
| addtotals fieldname=duration
| eval conn_time=_time-duration
| eval Connected_time=strftime(conn_time,"%b %d %H:%M:%S")

Hope it helps.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2017 06:57 AM

The only way to calculate time differences is by first converting the times into epoch format. I know of no function to convert durations into epochs so it has to be done manually.

... | rex field=Duration "((?<days>\d+)d\s)?(?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" | eval  days=coalesce(days,0),duration=(days*86400)+(hours*3600)+(minutes*60)+seconds | eval Connected_time=strftime(strptime(Disconnected_time,"%b %d %H:%M:%S")-duration, "%b %d %H:%M:%S") | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-31-2017 07:28 AM

@niketnilay's use of dur2sec is much cleaner than my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sandeep2679
New Member
‎11-02-2017 02:48 AM

Thank you

0 Karma
Reply

niketn
Legend
‎10-31-2017 06:36 AM

@sandeep2679, please try the following:

<YourBaseSearch>
|  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
|  convert dur2sec(Duration)
|  eval Connected_time= disconncted_time - Duration

Refer to Splunk Documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert#1._Convert_sendmail_durat...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

sandeep2679
New Member
‎11-02-2017 03:13 AM

Thank you for helping. Duration is converted into seconds but when subtracted from disconnected_time
I get nothing. i.e Connected_time is not created.

0 Karma
Reply

niketn
Legend
‎11-02-2017 07:27 AM

Seems like disconncted_time is String Time and not Epoch. Try the following:

 <YourBaseSearch>
 |  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
 |  convert dur2sec(Duration)
 |  eval disconncted_time=strptime(disconncted_time,"%b %d %H:%M:%S")
 |  eval Connected_time= disconncted_time - Duration
 |  fieldformat disconncted_time=strftime(disconncted_time,"%b %d %H:%M:%S")
 |  fieldformat Connected_time=strftime(Connected_time,"%b %d %H:%M:%S")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...