Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

duration calculator with current time

jerinvarghese
Communicator
‎05-05-2020 01:56 AM

Need help in find a query to get the duration of the alert w.r.t the current time.

Current code am using: 

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" AND ("*WANR*" OR "*LAN*") 
| search * 
| rex field=eventuei "uei.opennms.org/nodes/node(?<bgpPeerState>.+)"
 | stats max(_time) as Time_IST latest(bgpPeerState) as Status by nodelabel
 | where Status="Down"

 | lookup ONMS_nodes.csv nodelabel OUTPUT nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| lookup GRDB_site_list.csv "Site Code" as sitecode OUTPUT Region, Country,"Precious Metal" as Metal, "Site Classification" as Class
| eval Region=mvindex(Region,0) 
| eval Country=mvindex(Country,0) 
| eval Metal=mvindex(Metal,0)
| eval sitecode=if(isnull(sitecode),"Unknown", sitecode) 
| eval Country=if(isnull(Country),"Unknown", Country) 
| eval Metal=if(isnull(Metal),"Unknown", Metal) 
| eval Class=if(isnull(Class),"Unknown", Class) 
| eval Region=if(isnull(Region),"Unknown", Region)
| search Country="*"

| rename nodelabel as "Hostname" ,   Class as Classification, sitecode as "Site Code"

| fieldformat Time_IST=strftime(Time_IST+10.5*3600,"%Y-%m-%d %l:%M:%S %p")
 | sort- Time_IST
 | table Hostname Status Classification "Site Code" Time_IST

Table of output below: 

    Hostname    Status  Classification  Site Code   Time_IST
1   GBABO-1 Down    Silver  ABO 2020-05-05  1:33:37 PM
2   GBABO-2 Down    Silver  ABO 2020-05-05  1:33:15 PM

I am looking for a query to get the duration of the event.

Table am expecting.

Hostname    Status  Classification  Site Code   Time_IST    Duration

My splunk timing is in CST time zone.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2020 06:11 AM

Perhaps this will help.

...| sort- Time_IST
| eval Duration = tostring(now() - Time_IST, "duration")
| table Hostname Status Classification "Site Code" Time_IST Duration
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...