Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time value difference in duration: getting value as 0d

Chandras11
Communicator
‎09-06-2018 08:30 AM

HI All,

I am able to get the time value difference in epoch and able to convert it to string with the following command:-

eval LeadDays = ( Answer_Time - Bookingdate) |  eval LeadDays = tostring(LeadDays, "duration") |

Bookingdate             Answer_Time  LeadDays
1535635518.000000   1535708751.000000   20:20:33.000000
1535636031.000000   1536059535.000000   2+21:38:24.000000

The problem is in the first row: is there a way to convert it to 0+20:20:33.000000 instead of 20:20:33.000000

I tried to use string concat but it didnt work.

Also is there a way to convert 2+21:38:24 to only days as 2+21/24+38/3600= 2.88 days

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎09-06-2018 09:01 AM

try this:

| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes

Explanation:

  1. first preppend a "0+" if the LeadDays doesn't contain a "+" in it
  2. capture the days / hours / minutes into different fields
  3. use the fields captured in #2 to calculate a new field as per your requirements
  4. remove the unnecessary fields

Hope this helps

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎09-06-2018 09:01 AM

try this:

| eval LeadDays = if(like(LeadDays,"%+%"), LeadDays, "0+".LeadDays)
| rex field=LeadDays "^(?<days>[^\+]+)\+(?<hours>[^:]+)\:(?<minutes>[^:]+)"
| eval new_LeadDays = round(days + hours/24 + minutes/3600, 2)
| fields - days hours minutes

Explanation:

  1. first preppend a "0+" if the LeadDays doesn't contain a "+" in it
  2. capture the days / hours / minutes into different fields
  3. use the fields captured in #2 to calculate a new field as per your requirements
  4. remove the unnecessary fields

Hope this helps

Reply
Solved! Jump to solution

Chandras11
Communicator
‎09-07-2018 01:24 AM

THanks a lot for the answer.

0 Karma
Reply
Solved! Jump to solution

Chandras11
Communicator
‎09-07-2018 02:05 AM

I was trying to use the match command in eval case and it was giving me issues. This one is working like a charm.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...