Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue with doing math on event times?

msarro
Builder
‎01-24-2011 09:09 PM

Here is my current code:

index="sandbox" sourcetype="AS-CDR" | where Called_Number="2155551060" OR
       Calling_Number="2155551060" OR
       Called_Number="12155551060" OR
       Calling_Number="12155551060" OR
       Called_Number="+12155551060" OR
       Calling_Number="+12155551060" |eval timeToAnswer=(strptime(Answer_Time, "%Y%m%d%H%M%S.%q") - strptime(Start_Time, "%Y%m%d%H%M%S.%q"))

When I attempt to perform that operation, it doesn't give me any value for timeToAnswer, even though the operator is supposed to create a new column that can be used. I know it works because I can take an average using avg(timeToAnswer) and get a result. But if I try to append

|fields Start_Time Answer_Time timeToAnswer

It doesn't show. Can anyone explain how to fix this? The timestamps are in the following format:

20110119212921.053

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎01-25-2011 01:29 PM

If you select the timeToAnswer field from the field picker, does it show its top 10 values?

"fields" is not used to display a field under the raw text of the events. You can use the field picker on the left to "always show" the field timeToAnswer or the 

... | table Start_Time Answer_Time timeToAnswer

command to display tabular results. Let us know if it worked!

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎01-25-2011 01:29 PM

If you select the timeToAnswer field from the field picker, does it show its top 10 values?

"fields" is not used to display a field under the raw text of the events. You can use the field picker on the left to "always show" the field timeToAnswer or the 

... | table Start_Time Answer_Time timeToAnswer

command to display tabular results. Let us know if it worked!

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎01-26-2011 04:40 PM

We are all very lucky that Splunk's manual is really well done 😄

0 Karma
Reply
Solved! Jump to solution

msarro
Builder
‎01-26-2011 03:55 PM

Thanks! Reading through the manual is a pretty good exercise, I should try it more often 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...