Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sum duration to iterations of same id

noa
Loves-to-Learn
‎11-05-2020 07:20 AM

Hey,

I have an index 'test_iterations' which contains test data (start time, end time, iterationIndex ane TestName).

Each Test can appear more than once but with different iteration index

I need to get the test duration, which is the sum of the duration of each iteration

I used this query to find for a single test:

Index="test_iteration" TestRunId=someId TestName=someTestName | dedup IterationIndex | eval sum = 0 | foreach IterationIndex* [ eval sum = sum + strptime(EndTime, "%Y-%m-%d%H:%:M%:S.%N") - strptime(StartTime,  "%Y-%m-%d%H:%:M%:S.%N")] | table sum

Which provide me the right answer

 

But when I try to get all the tests duration in a run, I get an error.

My search:

Index="test_iteration" TestRunId=someTestRunId | dedup TestName | 

Eval dur = [ search Index="test_iteration" TestRunId=someId TestName=someTestName | dedup IterationIndex | eval sum = 0 | foreach IterationIndex* [ eval sum = sum + strptime(EndTime, "%Y-%m-%d%H:%:M%:S.%N") - strptime(StartTime,  "%Y-%m-%d%H:%:M%:S.%N")] | table sum] | table Duration, TestName

 

I get the error: error in 'eval' command: the expression is malformed. An unexpected character is reached at ')'.

 

But I don't get why?

 

Thanks.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-05-2020 07:58 AM

I am surprised that you say the first query works. You have a typo in your format string for strptime, and foreach works on field names, not on the values of a particular field.

Please can you confirm what your working and failing queries are?

0 Karma
Reply

noa
Loves-to-Learn
‎11-05-2020 09:20 AM

The first query worked for me and return the right duration, how can it be? 

Each Test Iteration has a StartTime and EndTime. I get from this a single iteration duration and need to sum it.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...