Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find elapsed time between now() and event?

_dave_b
Communicator
‎11-06-2015 02:03 PM

Hello. I am trying to find the amount time that has passed from the time and event occurred to the present (now()). I tried subtracting the time of the event from the current time, but I got an Epoch time value that gives me times in the 1970s. What conversions do I have to make to have Splunk tell me something happened 30 hours ago and not 30 years?

Thanks for your help

Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-06-2015 02:18 PM

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs. 

... | fieldformat timeField = tostring(timeField,"duration")

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-06-2015 02:20 PM

Well you have the time of the event as _time field, and you can use now() in eval expressions, so you can make a field, let's call it secondsAgo, like so: 

| eval secondsAgo=now() - _time

It is of course just a number of seconds. IF you were to do | convert ctime(secondsAgo), that would be weird because you're asking Splunk to tell you what time it would be if this number of seconds were defined as "the number of seconds since 1/1/1970 in GMT", which.... is generally a random time in 1970.

What you probably want to do after getting secondsAgo as an integer, is convert it to an "HH:MM:SS" duration string, like so: 

| eval secondsAgo=now() - _time | eval durationStr=tostring(secondsAgo,"duration")

or if you prefer it in one eval expression, 

| eval secondsAgoStr=tostring(now() - _time, "duration")
Reply
Solved! Jump to solution

_dave_b
Communicator
‎11-06-2015 02:46 PM

Thanks! This is worthy of acceptance for the Answer, but rich7177 posted his Answer-acceptance worthy reply first, and therefore must get credit. I hope my grattitude will suffice in lieu of Karma points!

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-06-2015 03:30 PM

hehe. Sure no problem. He and I were writing our answers at the same time. Unaccepting answers and accepting others happens all the time but in this case they are both right so it matters little. Cheers.

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-06-2015 02:18 PM

Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs. 

... | fieldformat timeField = tostring(timeField,"duration")
Reply
Solved! Jump to solution

_dave_b
Communicator
‎11-06-2015 02:41 PM

Thanks! I was not picking up on that important detail.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...