Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to splunk search to get time only from date time?

sekhar463
Path Finder
‎11-30-2022 03:48 AM

hi All,

can you help with splunk search to get time only from date time.

example as 2022/11/28 17:00:00 want to get only time 17:00

Tags (1)
0 Karma
Reply

sekhar463
Path Finder
‎12-01-2022 05:10 AM

HI gcusello

I am using below query to calculate if job started on time or not based on actual start time and job start time, the eval condition is not working as i am comparing the time with actual_start time with job start by time

please help if job not started time not matching with actual time then it result is late

and start time is equal to actual start time is the result will be on_time

so how can i create these 2 fields based on these

index=main sourcetype=TEST
| eval Job_start_by=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval SLA=IF(Job_start_by="ACTUAL_START_TIME","1.ON-TIME",IF(Job_start_by>"ACTUAL_START_TIME","2.LATE")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,Job_start_by

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:46 AM

Hi I am trying to calculate SLA breach based on the below job START_TIME and END_TIME

need help on search query to get below scenario.

in below job actual start time was 4:30 but it was started at 4:50

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 04:01 AM

Hi @sekhar463,

you have to use the eval command with the strftime funtion, something like this:

<your_search>
| eval NEW_START_TIME=strftime(START_TIME,"%H:$M")

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:10 AM

hai Thanks for your response.

i am using below query but not getting field values for NEW_START_TIME

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:$M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

@gcusello

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 05:16 AM

Hi @sekhar463,

sorry I did a mistyping, please try this:

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:19 AM

still the same empty values for the field values

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 05:24 AM

Hi @sekhar463,

sorry ! I forgot that you START_TIME isn't in epochtime,

please try this:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

you could also try:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=substr(START_TIME,10,5)
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top