Solved: Re: Time without errors

vgaltes · ‎01-27-2017

Hi,

I'm trying to calculate the time without errors in the system. To do that I'm doing something like

| eval now = now()
| convert timeformat="%Y-%m-%d %H:%M:%S.%3N" mktime(_time) AS epoch_time
| eval diff = now - epoch_time
| eval TimeWithoutErrors = strftime(diff,"%H:%M:%S")
| eval TimeNow = strftime(now,"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(epoch_time,"%Y-%m-%d %H:%M:%S.%3N")
| head 1
| table TimeWithoutErrors, TimeNow, _time, EventTime

And the values I get are:

TimeNow: 2017-01-27 14:18:16.000 -> correct
_time: 2017-01-27 12:00:14.552 -> correct
EventTime: 2017-01-27 12:00:14.552 -> correct
TimeWithoutErrors: 03:18:01 -> not correct, should be one hour less

Why I'm getting an hour more that what I should get?

Thank you very much,
Vicenç

somesoni2 · ‎01-27-2017

Try something like this. The _time field is already epoch so you don't need to convert it again.

your base search
| head 1
| eval TimeWithoutErrors = tostring(now()-_time,"duration")
| eval TimeNow= strftime(now(),"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| table TimeWithoutErrors, TimeNow, _time, EventTime

View solution in original post

somesoni2 · ‎01-27-2017

Try something like this. The _time field is already epoch so you don't need to convert it again.

your base search
| head 1
| eval TimeWithoutErrors = tostring(now()-_time,"duration")
| eval TimeNow= strftime(now(),"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| table TimeWithoutErrors, TimeNow, _time, EventTime

vgaltes · ‎01-27-2017

Works perfectly, thanks!

Time without errors

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...