Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtracting two epoch times after within stats table

jason_hotchkiss
Communicator
‎06-16-2021 01:26 PM

Hello - we are trying to calculate the possible_duration between the first event and last event in the following base search:

<base_search>
| eval docid="https://www.youtube.com/embed/".docid
| stats count as "visits" values(docid) as url list(_time) as time_of_events earliest(_time) as first_event latest(_time) as last_event by user
| eval duration = last_event - first_event
| eval possible_duration = strftime(duration,"%H:%M:%S")
| eval time_of_events = strftime(time_of_events,"%H:%M:%S")
| eval first_event = strftime(first_event,"%H:%M:%S")
| eval last_event = strftime(last_event,"%H:%M:%S")
| table user visits url time_of_events first_event last_event possible_duration

Result:

Scoobie_Doo3https://www.youtube.com/embed/scoobie_snacks16:12:37
16:12:37
16:12:34		16:12:3416:12:3719:00:03


The possible_duration field seems to get the minutes and seconds right.  But not the hour.  Looking for a suggestion one what I am missing.
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2021 04:13 PM

Using strftime on a duration type field will always take account your local time, so if you added in a date to that strftime, you would see it's probably Jan 1 1970.

When dealing with duration there are two ways, either using tostring or doing the maths, like this example search

| makeresults
| eval duration=147
| eval t-UsingToString=tostring(duration,"duration")
| eval h=round(duration/3600), m=round((duration-(h*3600))/60), s=duration%60
| eval t-UsingHMS=printf("%02d:%02d:%02d", h, m, s)
| table duration t-UsingToString t-UsingHMS

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2021 04:13 PM

Using strftime on a duration type field will always take account your local time, so if you added in a date to that strftime, you would see it's probably Jan 1 1970.

When dealing with duration there are two ways, either using tostring or doing the maths, like this example search

| makeresults
| eval duration=147
| eval t-UsingToString=tostring(duration,"duration")
| eval h=round(duration/3600), m=round((duration-(h*3600))/60), s=duration%60
| eval t-UsingHMS=printf("%02d:%02d:%02d", h, m, s)
| table duration t-UsingToString t-UsingHMS

 

Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎06-17-2021 07:41 AM

I attempted your solution, however, I am unable to get it to work in my particular case.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-17-2021 03:45 PM

Can you give more details on what you tried and the results you got.

 

0 Karma
Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎06-21-2021 06:38 AM

It ended up being my fault.  I was able to use an element of your example to produce the results I was looking for:

|eval duration = last_event - first_event
|eval possible_duration=tostring(duration, "duration")

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...