Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to splunk search to get time only from date time?

sekhar463
Path Finder
‎11-30-2022 03:48 AM

hi All,

can you help with splunk search to get time only from date time.

example as 2022/11/28 17:00:00 want to get only time 17:00

Tags (1)
0 Karma
Reply

sekhar463
Path Finder
‎12-01-2022 05:10 AM

HI gcusello

I am using below query to calculate if job started on time or not based on actual start time and job start time, the eval condition is not working as i am comparing the time with actual_start time with job start by time

please help if job not started time not matching with actual time then it result is late

and start time is equal to actual start time is the result will be on_time

so how can i create these 2 fields based on these

index=main sourcetype=TEST
| eval Job_start_by=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval SLA=IF(Job_start_by="ACTUAL_START_TIME","1.ON-TIME",IF(Job_start_by>"ACTUAL_START_TIME","2.LATE")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,Job_start_by

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:46 AM

Hi I am trying to calculate SLA breach based on the below job START_TIME and END_TIME

need help on search query to get below scenario.

in below job actual start time was 4:30 but it was started at 4:50

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 04:01 AM

Hi @sekhar463,

you have to use the eval command with the strftime funtion, something like this:

<your_search>
| eval NEW_START_TIME=strftime(START_TIME,"%H:$M")

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:10 AM

hai Thanks for your response.

i am using below query but not getting field values for NEW_START_TIME

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:$M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

@gcusello

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 05:16 AM

Hi @sekhar463,

sorry I did a mistyping, please try this:

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎11-30-2022 05:19 AM

still the same empty values for the field values

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2022 05:24 AM

Hi @sekhar463,

sorry ! I forgot that you START_TIME isn't in epochtime,

please try this:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

you could also try:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=substr(START_TIME,10,5)
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...