Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract miliseconds from _time ?

zacksoft
Contributor
‎04-03-2020 06:27 AM

I have a field serv_time = 44432 in miliseconds.
and the default field _time.
I want to be able to subtract _time - serv_time (_time minus - serv-time)

and get the result in a human readable format ?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

memarshall63
Communicator
‎04-03-2020 06:36 AM

_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:

| makeresults 
| eval serv_time = 44432
| eval epoch_time = _time 
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000) 
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

memarshall63
Communicator
‎04-03-2020 06:36 AM

_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:

| makeresults 
| eval serv_time = 44432
| eval epoch_time = _time 
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000) 
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎04-03-2020 08:29 AM

I'm not getting the expected result. I am not getting the subtracted time.

 index="bayseian" source="/apps/runner/mahem/logs/sachin.out" | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds

     | eval serv_time = boot_time
 | eval epoch_time = _time 
 | eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
 | eval sub_time = epoch_time - (boot_time/1000) 
 | eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
 | eval sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")

 | table human_time sub_time
0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎04-03-2020 09:16 AM

@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.

If you change your last line to display:

|table human_epoch_time sub_time human_time

You should see the diff between human_epoch_time and sub_time

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...