Splunk Search

Time Conversion - Elapsed Time

jordanb93
Explorer

I have time stamps in the format of H:MM. But when the minutes reach 60 they don't add an hour only when the number reaching above .99 does it add an hour.

This makes the timestamp hard to read.

What complicates the issue is that the elapsed time can be anywhere from .22 to 3.22.

I'm calculating these elapsed times from two correctly formatted time stamps, converting those to seconds, subtracting them then converting back to normal time. I've tried if and case evals but they aren't always correct.

Has anyone found a solution to a problem similar to this?

1 Solution

DalJeanis
SplunkTrust
SplunkTrust
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")

View solution in original post

0 Karma

cmerriman
Super Champion

try using tostring instead of strftime. strftime is more for a datestamp since it's using epoch and tostring is for actual seconds duration:

this got me 1 hour and 20 minutes.

|makeresults |eval starttime="21:20:00"|eval endtime="20:00:00"|eval secondsstart=strptime(starttime,"%H:%M:%S")|eval secondsend=strptime(endtime,"%H:%M:%S")|eval durationseconds=secondsstart-secondsend|eval duration=mvindex(split(tostring(durationseconds,"duration"),"."),0)

tegaslink
Explorer

@cmerriman i used the solution you provided "(split(tostring(durationseconds,"duration"),"."),0)"
but this came out with very weird answers. I got answers like
6+02:23:16 9+03:34:54
4+08:55:02 6+13:22:33
5+20:20:19 8+18:30:28
5+20:20:19 8+18:30:28

I don't know how to explain 8 + 18:30:28 , where do i fit that. do i have to do more computation to sum that up again. I don't really see a documentation on SPLUNK's Docs for all of this, nothing covers how to calculate duration or the answers to expect after this is being used.
Please explain this process to me, it is really vague

0 Karma

cmerriman
Super Champion

The 8+ is referring to the number of days. How exactly are you wanting to display duration?

tegaslink
Explorer

I wanted to display the duration in sections for example the output will be:
8d+18H:30M:28S

0 Karma

cmerriman
Super Champion

you can try something like this: |eval dur2=floor(time/86400)."d+".floor(time/3600)."H:".(floor(time/60)%60)."M:".floor(time%60)."S"
but generally the duration is doing what you want, without adding the d/H/M/S values.

8+18:30:28 means 8 days, 18 hours, 30 minutes, and 28 seconds.

tegaslink
Explorer

That's solid. It worked!
Thanks a lot.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
| makeresults | eval DurationInSeconds=234.76 | eval DurationDisplay=strftime(DurationInSeconds,"%H:%M:%S.%3N")
0 Karma

jordanb93
Explorer

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
| makeresults | eval times="21:20:00,20:00:00 20:00:00,21:20:00" | makemv times | mvexpand times | makemv delim="," times | eval starttime=mvindex(times,0), endtime=mvindex(times,1) | table starttime endtime
| rename COMMENT as "The above just generates test data."

| eval startepoch=strptime(starttime,"%H:%M:%S"), endepoch=strptime(endtime,"%H:%M:%S")
| eval endepoch=if(endepoch<startepoch,endepoch+86400,endepoch)
| eval durationepoch=endepoch-startepoch
| eval duration=strftime(durationepoch,"%H:%M:%S")
0 Karma

reneedeleon
Engager

does this also apply if you utlize the _time in the stats?

0 Karma

pappjr
Path Finder

Is Splunk parsing the data correctly? Is the _time field the correct time? If so maybe you can just use that. If not you'll have to get fancy with eval commands to convert the time stamp yourself.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you doing the "converting back to normal time" part? Are you using strftime or tostring(seconds,"duration")?

---
If this reply helps you, Karma would be appreciated.
0 Karma

jordanb93
Explorer

eval DurationDisplay=strftime(differenceEpoch,"%H:%M:%S")

The issue is that the calculation is close to being correct. From my data i'll have a timestamp like 21:20:00 and 20:00:00 i need to calculate the difference between these numbers. What would return in this case is something like 19:20:00. For some reason it will have 18 in the hour space when it should be 0.

Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...