- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working on identifying which hosts are located in which time zone as the client does not have an inventory list and they have devices all around the globe.
I'm calculating the difference between the _time that was extracted from the log and _indextime to establish the difference between them, which will be a good indication of how many time zones the devices is away.
I get values of ranges around 0-15, around 3600 and around 7200, which is expected.
Now when I try to use strftime to express that difference into a readable format it always adds 1 hour to it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use strftime to deal with durations, use the following (where diff is your difference value in seconds):
| eval diff=tostring(diff, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use strftime to deal with durations, use the following (where diff is your difference value in seconds):
| eval diff=tostring(diff, "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi damien_chillet, I managed to get a desired value by following your suggestion, but now I get a result as 09:11:00.000000 instead of 09:11:00
I am trying to calculate difference between 2 time ranges 3/27/2018 14:01 and 3/27/2018 23:12.
am I missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whats is your string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
time ranges 3/27/2018 14:01 and 3/27/2018 23:12
index=myindex| eval submit=strptime(in, "%m/%d/%Y %H:%M") | eval response=strptime(out, "%m/%d/%Y %H:%M") | eval Total=response-submit | eval Ntotal=tostring(Total,"duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm, interesting, without spending too much time looking into why it's giving you .0000 you can just do a round command on the Total eval to get rid of those , so:
| eval Total=round(response-submit,0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick. Thanks again 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still trying to learn more about splunk functionality, any suggestions on learning Splunk commands (video guides/reference materials) would be helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice one, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You welcome 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi damien_chillet,
i managed to get a desired result by following your suggestion,
I am trying to calculate difference between 2 time ranges 3/27/2018 14:01 and 3/27/2018 23:12, but I get a result as 09:11:00.000000 instead of 09:11:00
query:
index=myindex| eval submit=strptime(in, "%m/%d/%Y %H:%M") | eval response=strptime(out, "%m/%d/%Y %H:%M") | eval Total=response-submit | eval Ntotal=tostring(Total,"duration")
please advise.
