https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570078#M10279 <P>_time looks like this&nbsp;</P><P><SPAN>2021-10-07 08:28:04.211</SPAN></P><P>epoch column&nbsp; is blank&nbsp;</P> Thu, 07 Oct 2021 15:04:25 GMT luckyman80 2021-10-07T15:04:25Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570017#M10265 <P>Hi Experts! ,</P><P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Wondered if there was a way of doing this. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the Diff</P><P>Example</P><P><STRONG>2021-10-05 04:49:10.138</STRONG> [pool-1-thread-1] INFO order - [Pool]Book={inst=example,1=[],2=[feed-|time=<STRONG>1633427347600000000}</STRONG></P><P>Manually looking the difference is&nbsp;</P><P><STRONG>2021-10-05 04:49:10.138 -(Standard time)</STRONG></P><P><STRONG>2021-10-05 04:49:07.600 -(EPOCH time)</STRONG></P><P><STRONG>Difference 2.54 seconds</STRONG></P><P>Thanks in advance</P> Thu, 07 Oct 2021 09:56:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570017#M10265 luckyman80 2021-10-07T09:56:02Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570031#M10268 <P>Is your "standard" time already extracted as _time?</P><P>Your EPOCH time looks like it might be in nano-seconds, so try</P><LI-CODE lang="markup">| eval diff=_time-(epoch/1000000000)</LI-CODE> Thu, 07 Oct 2021 10:43:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570031#M10268 ITWhisperer 2021-10-07T10:43:11Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570036#M10269 <P>Hi! Thanks for the quick response!&nbsp; I haven't Extracted time yet (not sure how to do that) also how do I display it after ? sorry for all the questions&nbsp;</P> Thu, 07 Oct 2021 10:55:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570036#M10269 luckyman80 2021-10-07T10:55:26Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570038#M10271 <P>You may find it has already been extracted for you when the events were indexed. What fields do you have extracted?</P> Thu, 07 Oct 2021 10:58:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570038#M10271 ITWhisperer 2021-10-07T10:58:22Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570045#M10273 <P>Apols if im being stupid . I tried&nbsp;</P><P>| eval diff=_time-(epoch/1000000000)|table diff</P><P>but dont see anything&nbsp;</P><P>&nbsp;</P> Thu, 07 Oct 2021 12:10:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570045#M10273 luckyman80 2021-10-07T12:10:43Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570049#M10274 <P>What do you get if you just do&nbsp;</P><LI-CODE lang="markup">&lt;&lt;your search&gt;&gt; | table _time epoch</LI-CODE> Thu, 07 Oct 2021 12:17:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570049#M10274 ITWhisperer 2021-10-07T12:17:43Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570078#M10279 <P>_time looks like this&nbsp;</P><P><SPAN>2021-10-07 08:28:04.211</SPAN></P><P>epoch column&nbsp; is blank&nbsp;</P> Thu, 07 Oct 2021 15:04:25 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570078#M10279 luckyman80 2021-10-07T15:04:25Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570084#M10280 <P>Try this</P><LI-CODE lang="markup">Your base search| eva diff=_time-time | table diff</LI-CODE> Thu, 07 Oct 2021 15:56:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570084#M10280 somesoni2 2021-10-07T15:56:55Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570087#M10282 <LI-SPOILER>i did try that .. now I get&nbsp;<BR />_time as&nbsp;2021-10-07 12:30:03.839<BR /><BR />and diff as -1633624103220375800.000<BR /><BR /></LI-SPOILER> Thu, 07 Oct 2021 16:31:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570087#M10282 luckyman80 2021-10-07T16:31:34Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570090#M10283 <P>OK extract epoch like this</P><LI-CODE lang="markup">| rex "time=(?&lt;epoch&gt;\d*)"</LI-CODE> Thu, 07 Oct 2021 16:52:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570090#M10283 ITWhisperer 2021-10-07T16:52:43Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570105#M10284 <P>Try this</P><LI-CODE lang="markup">Your base search | eval diff=abs(_time-(time/1000000000))</LI-CODE><P>&nbsp;</P> Thu, 07 Oct 2021 18:34:47 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570105#M10284 somesoni2 2021-10-07T18:34:47Z https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570135#M10286 <P>thank you ! worked great&nbsp;</P> Thu, 07 Oct 2021 20:06:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/Compare-usual-time-to-Epoch-time/m-p/570135#M10286 luckyman80 2021-10-07T20:06:28Z