Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Time value difference in duration: getting value a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-06-2018
08:30 AM
HI All,
I am able to get the time value difference in epoch and able to convert it to string with the following command:-
eval LeadDays = ( Answer_Time - Bookingdate) | eval LeadDays = tostring(LeadDays, "duration") |
Bookingdate Answer_Time LeadDays
1535635518.000000 1535708751.000000 20:20:33.000000
1535636031.000000 1536059535.000000 2+21:38:24.000000
The problem is in the first row: is there a way to convert it to 0+20:20:33.000000 instead of 20:20:33.000000
I tried to use string concat but it didnt work.
Also is there a way to convert 2+21:38:24 to only days as 2+21/24+38/3600= 2.88 days
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
09-06-2018
09:01 AM
try this:
| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes
Explanation:
- first preppend a "0+" if the LeadDays doesn't contain a "+" in it
- capture the days / hours / minutes into different fields
- use the fields captured in #2 to calculate a new field as per your requirements
- remove the unnecessary fields
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aholzer
Motivator
09-06-2018
09:01 AM
try this:
| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes
Explanation:
- first preppend a "0+" if the LeadDays doesn't contain a "+" in it
- capture the days / hours / minutes into different fields
- use the fields captured in #2 to calculate a new field as per your requirements
- remove the unnecessary fields
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-07-2018
01:24 AM
THanks a lot for the answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chandras11
Communicator
09-07-2018
02:05 AM
I was trying to use the match command in eval case and it was giving me issues. This one is working like a charm.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Index This | How many sevens are there between 1 and 100?
August 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
