Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Time value difference in duration: getting value a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-06-2018
08:30 AM
HI All,
I am able to get the time value difference in epoch and able to convert it to string with the following command:-
eval LeadDays = ( Answer_Time - Bookingdate) | eval LeadDays = tostring(LeadDays, "duration") |
Bookingdate Answer_Time LeadDays
1535635518.000000 1535708751.000000 20:20:33.000000
1535636031.000000 1536059535.000000 2+21:38:24.000000
The problem is in the first row: is there a way to convert it to 0+20:20:33.000000 instead of 20:20:33.000000
I tried to use string concat but it didnt work.
Also is there a way to convert 2+21:38:24 to only days as 2+21/24+38/3600= 2.88 days
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
09-06-2018
09:01 AM
try this:
| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes
Explanation:
- first preppend a "0+" if the LeadDays doesn't contain a "+" in it
- capture the days / hours / minutes into different fields
- use the fields captured in #2 to calculate a new field as per your requirements
- remove the unnecessary fields
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
09-06-2018
09:01 AM
try this:
| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes
Explanation:
- first preppend a "0+" if the LeadDays doesn't contain a "+" in it
- capture the days / hours / minutes into different fields
- use the fields captured in #2 to calculate a new field as per your requirements
- remove the unnecessary fields
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-07-2018
01:24 AM
THanks a lot for the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-07-2018
02:05 AM
I was trying to use the match command in eval case and it was giving me issues. This one is working like a charm.
Get Updates on the Splunk Community!
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Almost Too Eventful Assurance: Part 1
Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
