Skip to content

Splunk Practice Exercise 4: Calculate Time Using 'timeendpos' and 'timestartpos'

Introduction

This practice exercise focuses on calculating time using 'timeendpos' and 'timestartpos' and only displaying events with time greater than 20.

Step 1: Access Splunk Web

  1. Open your web browser and navigate to Splunk Web:

    http://<your server ip>:8000

  2. Log in using your credentials.

Step 2: Navigate to Search & Reporting App

  1. In the Splunk Web interface, go to the Search & Reporting app.

Step 3: Construct the Search Query

  1. In the search bar, enter the following search query:

    index=tutorial timeendpos=* timestartpos=* | eval calculatedTime=timeendpos-timestartpos | where calculatedTime > 20 | table timestartpos, timeendpos, calculatedTime

This query calculates the time difference between 'timeendpos' and 'timestartpos' and only displays events where the calculated time is greater than 20.

  1. Press Enter or click the Search button to execute the search.

Step 5: Review Results

  1. Review the search results in the table, where 'timestartpos', 'timeendpos', and the calculated time are displayed for events with time greater than 20.

Conclusion

Congratulations! You have successfully completed the practice exercise, calculating time using 'timeendpos' and 'timestartpos' and displaying events where the calculated time is greater than 20. Continue to explore and experiment with different search queries to enhance your Splunk skills.