Splunk Search

Why am I getting an Invalid result in span between two dates?

morethanyell
Builder

This code:

   | makeresults
   | eval StartTime = strptime("2018-01-01 00:00:00", "%Y-%m-%d %H:%M:%S")
   | eval EndTime = strptime("2018-01-01 00:10:00", "%Y-%m-%d %H:%M:%S")
   | eval Elapsed = EndTime - StartTime
   | fieldformat Elapsed = strftime(Elapsed, "%H:%M:%S")

results to Elapsed=08:10:00 or eight hours and ten minutes, instead of just ten minutes.

Would like to get some assistance on why this happens and how to fix. Thanks a lot!

0 Karma
1 Solution

HiroshiSatoh
Champion

The function calculates 600 seconds as the epoch time.And time zones are also included.

Epoch Time:600
↓With the time zone added:JST
1970-01-01 09:10:00

Try this!
| fieldformat Elapsed = tostring(Elapsed, "duration")

View solution in original post

HiroshiSatoh
Champion

The function calculates 600 seconds as the epoch time.And time zones are also included.

Epoch Time:600
↓With the time zone added:JST
1970-01-01 09:10:00

Try this!
| fieldformat Elapsed = tostring(Elapsed, "duration")

morethanyell
Builder

Wizardry! | fieldformat Elapsed = tostring(floor(Elapsed), "duration")

Thanks a lot

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...