- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how can i get the begging time by sustact stop...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how can i get the begging time by sustact stop time
i have the following log,
Oct 9 20:52:37 130.130.128.122 Oct 9 04:47:22 130.130.128.122 CisACS_03_RADIUSAcc p5powg8x 1 0 User-Name=GSSHTB\17997,NAS-IP-Address=10.10.1.24,NAS-Port=50010,Group-Name=Group 80,Calling-Station-Id=00-11-43-BC-76-19,Acct-Status-Type=Stop,Acct-Input-Octets=5726228,Acct-Output-Octets=92503773,Acct-Session-Id=10.10.1.24 GSSHTB\17997 03/14/93 04:43:21 000000E9,Acct-Session-Time=16839,
from the above log i can find the stop time( 03/14/93 04:43:21), and time (Acct-Session-Time=16839), now I want to caculate the beginning time , how can i get this result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume that Acct-Sesssion-Time is in seconds. Therefore, you can do this
<yoursearchhere>
| eval beginningTime = strptime(stop-time,"%m/%d/%y %H:%M:%S") - Acct-Sesssion-Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
It would be better if your field names did not use "-". Field names should have only letters, numbers and underscores. So you may find that Splunk automatically changes the "-" to "_". Which would make the command:
<yoursearchhere>
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much , i got it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm. try this:
host="splunk.514"
| eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time
| eval beginTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S")
| table beginTime stop_time Acct_Sesssion_Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks a lot
i did the search following your advice ,but get none result
host="splunk.514" | eval beginningTime = strptime(stop_time,"%m/%d/%y %H:%M:%S") - Acct_Sesssion_Time| fieldformat beginningTime = strftime(beginningTime,"%m/%d/%y %H:%M:%S") | table beginningTime stop_time
result:
beginningTime stop_time
1
2 03/14/93 04:47:15
3 03/14/93 09:50:51
pls. analyse the reason,thank you!
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
