Splunk Search

how can i get the begging time by sustact stop time

akdake
Explorer

i have the following log,

Oct 9 20:52:37 130.130.128.122 Oct 9 04:47:22 130.130.128.122 CisACS_03_RADIUSAcc p5powg8x 1 0 User-Name=GSSHTB\17997,NAS-IP-Address=10.10.1.24,NAS-Port=50010,Group-Name=Group 80,Calling-Station-Id=00-11-43-BC-76-19,Acct-Status-Type=Stop,Acct-Input-Octets=5726228,Acct-Output-Octets=92503773,Acct-Session-Id=10.10.1.24 GSSHTB\17997 03/14/93 04:43:21 000000E9,Acct-Session-Time=16839,

from the above log i can find the stop time( 03/14/93 04:43:21), and time (Acct-Session-Time=16839), now I want to caculate the beginning time , how can i get this result?

Tags (1)
0 Karma

lguinn2
Legend

I assume that Acct-Sesssion-Time is in seconds. Therefore, you can do this

<yoursearchhere>
| eval beginningTime = strptime(stop-time,"%m/%d/%y %H:%M:%S") - Acct-Sesssion-Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")

It would be better if your field names did not use "-". Field names should have only letters, numbers and underscores. So you may find that Splunk automatically changes the "-" to "_". Which would make the command:

<yoursearchhere>
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
0 Karma

akdake
Explorer

Thank you very much , i got it.

0 Karma

lguinn2
Legend

Hmm. try this:

host="splunk.514"
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| eval beginTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
| table beginTime stop_time Acct_Sesssion_Time

0 Karma

akdake
Explorer

thanks a lot
i did the search following your advice ,but get none result
host="splunk.514" | eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S") | table beginningTime stop_time

result:
beginningTime stop_time
1

2 03/14/93 04:47:15
3 03/14/93 09:50:51

pls. analyse the reason,thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...