Splunk Search
Highlighted

How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

New Member

Hello,

I am trying to calculate difference between
Disconnectedtime Duration
Oct 19 10:35:54 1d 0h:00m:05s

Oct 19 10:35:54 3h:29m:09s
I want to get
Connected
time = disconncted_time - Duration

0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

Legend

@sandeep2679, please try the following:

<YourBaseSearch>
|  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
|  convert dur2sec(Duration)
|  eval Connected_time= disconncted_time - Duration

Refer to Splunk Documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Convert#1._Convert_sendmail_durat...




| eval message="Happy Splunking!!!"


Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

New Member

Thank you for helping. Duration is converted into seconds but when subtracted from disconnectedtime
I get nothing. i.e Connected
time is not created.

0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

Legend

Seems like disconncted_time is String Time and not Epoch. Try the following:

 <YourBaseSearch>
 |  eval Duration=replace(replace(Duration,"d","+"),"h|m|s","")
 |  convert dur2sec(Duration)
 |  eval disconncted_time=strptime(disconncted_time,"%b %d %H:%M:%S")
 |  eval Connected_time= disconncted_time - Duration
 |  fieldformat disconncted_time=strftime(disconncted_time,"%b %d %H:%M:%S")
 |  fieldformat Connected_time=strftime(Connected_time,"%b %d %H:%M:%S")



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

SplunkTrust
SplunkTrust

The only way to calculate time differences is by first converting the times into epoch format. I know of no function to convert durations into epochs so it has to be done manually.

... | rex field=Duration "((?<days>\d+)d\s)?(?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" | eval  days=coalesce(days,0),duration=(days*86400)+(hours*3600)+(minutes*60)+seconds | eval Connected_time=strftime(strptime(Disconnected_time,"%b %d %H:%M:%S")-duration, "%b %d %H:%M:%S") | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

SplunkTrust
SplunkTrust

@niketnilay's use of dur2sec is much cleaner than my answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

New Member

Thank you

0 Karma
Highlighted

Re: How to get time difference between Oct 19 10:35:54 and 1d 0h:00m:05s or 3h:29m:09s formats?

Motivator

Hi there @sandeep2679

This is not the most elegant solution but it might work.

base search ...
| rex "\d{2}:\d{2}:\d{2}\s(?<day>\d+)d\s[hms:\d]+"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<hour>\d+)[hms:\d]"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<min>\d+)m:\d+s"
| rex "\d{2}:\d{2}:\d{2}\s.*?(?<sec>\d+)s"
| eval 2sec_day=(day*86400)
| eval 2sec_hourmin=(hour*3600) + (min*60) + sec
| table _time 2sec_*
| addtotals fieldname=duration
| eval conn_time=_time-duration
| eval Connected_time=strftime(conn_time,"%b %d %H:%M:%S")

Hope it helps.

0 Karma