https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176166#M2345 <P>You cannot compare times that way. You'll need to convert them to <CODE>epoch</CODE> first. If one of those timestamps are already being used as the timestamp for the event, then the conversion has already been made for that timestamp, and it is availible in the <CODE>_time</CODE> field. Otherwise you'll need to do the following;</P> <PRE><CODE>your_base_search | eval it = strptime(in_time, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(out_time, "%Y-%m-%dT%H:%M:%S.%3N") | eval diff = tostring((ot - it), "duration") | table in_time, out_time, diff </CODE></PRE> <P>read more here;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://en.wikipedia.org/wiki/Unix_epoch">http://en.wikipedia.org/wiki/Unix_epoch</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables</A></P> <P>/K</P> Thu, 12 Dec 2013 10:47:21 GMT kristian_kolb 2013-12-12T10:47:21Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176165#M2344 <P>Hi, </P> <P>I need small help to build a query to find the difference between two date/time values of a log in table format. For example in_time=2013-12-11T22:58:50.797 and out_time=2013-12-11T22:58:51.023.</P> <P>tried this query but i didn't get the result.<BR /> | eval otime=out_time| eval itime=in_time | eval TimeDiff=otime-itime | table out_time in_time TimeDiff</P> Mon, 28 Sep 2020 15:28:03 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176165#M2344 krishnakishoreg 2020-09-28T15:28:03Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176166#M2345 <P>You cannot compare times that way. You'll need to convert them to <CODE>epoch</CODE> first. If one of those timestamps are already being used as the timestamp for the event, then the conversion has already been made for that timestamp, and it is availible in the <CODE>_time</CODE> field. Otherwise you'll need to do the following;</P> <PRE><CODE>your_base_search | eval it = strptime(in_time, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(out_time, "%Y-%m-%dT%H:%M:%S.%3N") | eval diff = tostring((ot - it), "duration") | table in_time, out_time, diff </CODE></PRE> <P>read more here;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://en.wikipedia.org/wiki/Unix_epoch">http://en.wikipedia.org/wiki/Unix_epoch</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables</A></P> <P>/K</P> Thu, 12 Dec 2013 10:47:21 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176166#M2345 kristian_kolb 2013-12-12T10:47:21Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176167#M2346 <P>Thanks a lot, by doing some change query worked.</P> Thu, 12 Dec 2013 16:56:39 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176167#M2346 krishnakishoreg 2013-12-12T16:56:39Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176168#M2347 <P>feel free to mark the question as answered a/o upvote if it solved your problem. Thanks, K</P> Thu, 12 Dec 2013 19:30:27 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176168#M2347 kristian_kolb 2013-12-12T19:30:27Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176169#M2348 <P>In case anyone was scratching their head like me, the time formats should be:</P> <PRE><CODE>"%Y-%m-%d %H:%M:%S.%3N" </CODE></PRE> <P>There should be spaces where the 'T's are.</P> Wed, 10 Aug 2016 20:45:47 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176169#M2348 aszewczyk 2016-08-10T20:45:47Z https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176170#M2349 <P>Hi,<BR /> I'm in the same scenario, but trying to get the difference from <CODE>CREATED_DATE</CODE> and <CODE>current timestamp</CODE>. For that, it is not working.</P> <PRE><CODE> base_search | eval it = strptime(CREATED_DATE, "%Y-%m-%d %H:%M:%S") | eval nowstring=strptime(now(), "%Y-%m-%d %H:%M:%S") | eval ticket_duration=tostring((now() - it), "duration" ) | table DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE, ticket_duration </CODE></PRE> <HR /> <PRE><CODE>base_search | convert timeformat='%Y-%m-%dT%H:%M:%S' mktime(CREATED_DATE) mktime(now() AS _now) | eval duration=(_now-CREATED_DATE)/86400 |table TTID,MANAGER_NAME,SEVERITY,DESCRIPTION,CREATED_DATE,TICKET_STATUS,UPDATE_DATE, duration </CODE></PRE> <P>In both ways I'm getting null value, <CODE>ticket_duration=null</CODE><BR /> Can you please suggest any?</P> <P>Thanks,</P> Mon, 28 Oct 2019 23:22:53 GMT https://community.splunk.com/t5/Splunk-Dev/find-the-difference-between-two-date-time-values/m-p/176170#M2349 nagarajsf 2019-10-28T23:22:53Z