Adding in a break/lunch time into a duration

strehb18 · ‎10-27-2020

Hello,

I am trying to add a break time into a cycle time that I am tracking. So the _time field pulls when the start of a cycle is. I have been using the delta function to gather the duration between the cycles. The problem that I am running into that the cycles stay on during breaks and lunch time which will add 15 or 30 minutes to the cycle time. I am hoping this is something east to account for.

The problem in my mind is that I want the solution to be scalable to multiple days. I am looking to add 15 minutes to any cycle that was started from 8:50-9:15 or 30 minutes to something 11:50-12:30. An example from the data

_time duration

2020-10-26 12:40:32.593	-0.003
2020-10-26 12:40:32.577	-0.016
2020-10-26 12:35:29.080	-303.497
2020-10-26 12:35:29.058	-0.022
2020-10-26 12:35:28.967	-0.091
2020-10-26 12:30:25.567	-303.400
2020-10-26 12:30:25.547	-0.020
2020-10-26 11:50:01.608	-2423.939

richgalloway · ‎10-27-2020

See if this helps. It uses a case statement to see if _time is between 8:50 and 9:15 or between 11:50 and 12:30. There are a few hoops to jump through before that to get the starting time.

<your search>
| eval hr=strftime(_time,"%H"), min=strftime(_time,"%M")
| eval startMin=(hr*60)+min
| eval adder=case(startMin>=((8*60)+50) AND startMin<=((9*60)+15),15, startMin>=((11*60)+50) AND startMin<=((12*60)+30), 30, 1==1, 0)
| eval duration=duration+adder

---
If this reply helps you, Karma would be appreciated.

Adding in a break/lunch time into a duration

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?