Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

earliest and latest HH:MM across multiple days

middlemiddle
Explorer
‎06-25-2021 12:13 PM

I want to set dynamic SLA's for File Processing.  In order to do this I need to:

1. get the earliest HH:MM:SS the job has processed in the last 30 days.
2. get the latest HH:MM:SS the job has processed in the last 30 days.
3. get the average time the jobs process in the last 30 days.
4. get the difference between the earliest & latest.

Most of what I have found around stats with earliest & latest includes the date, so I end up with the time the job ran on day 1 and day 30.  I need the earliest/latest by HH:MM:SS and then diff it?

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2021 02:51 PM 
| eval hhmmss=_time%(60*60*24)
0 Karma
Reply

middlemiddle
Explorer
‎06-29-2021 01:17 PM

Thank you @ITWhisperer .   Any idea on how to convert the seconds into HH:MM:SS?  I can use the seconds to get earliest/latest, however when I use the following to get HH:MM:SS they become strings and I'm struggling getting earliest/latest with a string?


| eval date4=tostring(date1, "duration")
| eval date2=date_hour.":".date_minute.":".date_second
| strcat date_hour ":" date_minute ":" date_second date3
| table client_file_name date1 date2 date3 date4

Tags (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-29-2021 01:38 PM

As I didn’t get your needs, can you post your current SPL? This could help me to understand your issue.

0 Karma
Reply

middlemiddle
Explorer
‎06-29-2021 01:34 PM

I think I have it, see below.  The trick was min/max of seconds prior to converting it to time (using duration).


| eval seconds=_time%(60*60*24)
| stats min(seconds) AS "earliest_time_seconds" , max(seconds) AS "latest_time_seconds", count AS number_of_files, by client_file_name

| eval match=if(earliest_time=latest_time,"Yes", "No")
| eval diff_seconds=latest_time_seconds - earliest_time_seconds

| eval earliest_time=tostring(earliest_time_seconds, "duration")
| eval latest_time=tostring(latest_time_seconds, "duration")
| eval difference_in_time=tostring(diff_seconds, "duration")

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...