Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Issue with doing math on event times?

msarro
Builder
‎01-24-2011 09:09 PM

Here is my current code:

index="sandbox" sourcetype="AS-CDR" | where Called_Number="2155551060" OR
       Calling_Number="2155551060" OR
       Called_Number="12155551060" OR
       Calling_Number="12155551060" OR
       Called_Number="+12155551060" OR
       Calling_Number="+12155551060" |eval timeToAnswer=(strptime(Answer_Time, "%Y%m%d%H%M%S.%q") - strptime(Start_Time, "%Y%m%d%H%M%S.%q"))

When I attempt to perform that operation, it doesn't give me any value for timeToAnswer, even though the operator is supposed to create a new column that can be used. I know it works because I can take an average using avg(timeToAnswer) and get a result. But if I try to append

|fields Start_Time Answer_Time timeToAnswer

It doesn't show. Can anyone explain how to fix this? The timestamps are in the following format:

20110119212921.053

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎01-25-2011 01:29 PM

If you select the timeToAnswer field from the field picker, does it show its top 10 values?

"fields" is not used to display a field under the raw text of the events. You can use the field picker on the left to "always show" the field timeToAnswer or the 

... | table Start_Time Answer_Time timeToAnswer

command to display tabular results. Let us know if it worked!

View solution in original post

Reply
Solved! Jump to solution
Solution

Paolo_Prigione
Builder
‎01-25-2011 01:29 PM

If you select the timeToAnswer field from the field picker, does it show its top 10 values?

"fields" is not used to display a field under the raw text of the events. You can use the field picker on the left to "always show" the field timeToAnswer or the 

... | table Start_Time Answer_Time timeToAnswer

command to display tabular results. Let us know if it worked!

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎01-26-2011 04:40 PM

We are all very lucky that Splunk's manual is really well done 😄

0 Karma
Reply
Solved! Jump to solution

msarro
Builder
‎01-26-2011 03:55 PM

Thanks! Reading through the manual is a pretty good exercise, I should try it more often 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...