Hi Everybody, I have a field in my splunk events that is an XML field representing a videoconference session start time called ns2:sessionStartTime. An example of a field value is 2013-03-31T23:12:58.062-07:00. I want to turn this into a number (possibly Unix epoch time?) so I can perform ns2:sessionEndTime - ns2:sessionStartTime and figure out how long the session took. If there's any easier way of doing this calculation I'm all ears. Thanks for any and all help. Conor ... View more

I'm evaluating a variable called lengthofpayload. I want to separate it into 10 buckets: 0-1000, 1000-2000, etc. Each bucket has a number of events in it, and I want to find the percent of the total events found in that time window each bucket holds. For example, if I wanted to find the number of events and how their payload lengths are distributed in the last 24 hours, it'd look like this: 6,000 events found lengthofpayload percentage 0-1000 16% 1000-2000 40% 2000-3000 20% I found this link to something similar, but I don't want a timechart in the end: http://splunk-base.splunk.com/answers/27590/charting-percentage-of-a-total-over-time This is the code I'm using and I think it's close but it doesn't work. It prints nothing out for the first(percentage) variable. sourcetype="dbmon:kv" | search EVENTTYPE="ScreenSharingEvent" | eval lengthofpayload=len(PAYLOAD) | bucket lengthofpayload bins=10 | eventstats count as total by length of payload | stats count first(total) as total by lengthofpayload | eval percent=(count/total)*100 | chart first(percent) by lengthofpayload Thanks in advance for help/suggestions! ... View more