topic How do I do mathematical operations (subtraction) with two timestamps in the same event? in Getting Data In

How do I do mathematical operations (subtraction) with two timestamps in the same event?

hmdoan — Fri, 26 Jun 2015 13:27:45 GMT

I've been trying to:
1) convert two date stamps into epoch (timestamp and lastmodified). The lastmodified stamp will be more recent.
2) calculate if there is greater than a 7 day difference between the two
3) then display these events.

My time stamps are all in the %d/%m/%Y %H:%M:%S format.

index=netcool_daily name="Auto Ticket" | eval starttime=strptime(timestamp,"%m/%d/%Y %H:%M:%S") | eval endtime=strptime(lastmodified,"%m/%d/%Y %H:%M:%S") | eval difference=(endtime - starttime)/86400 | search difference > 7

I get nothing returned.

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

richgalloway — Fri, 26 Jun 2015 14:46:39 GMT

You say your timestamps are in "d/m/Y" format, but your strptime commands are using "m/d/Y" format. Which is the correct format?

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

woodcock — Fri, 26 Jun 2015 14:49:05 GMT

Everything looks OK so the problem has to be that either (or both) starttime or endtime is not created and that is surely because either timestamp or lastmodified does not exist. Try this search and whichever field does not exist, make it exists (probably just fix a typo):

index=netcool_daily name="Auto Ticket" | eval starttime=strptime(timestamp,"%m/%d/%Y %H:%M:%S") | eval endtime=strptime(lastmodified,"%m/%d/%Y %H:%M:%S") | table timestamp lastmodified starttime endtime

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

hmdoan — Fri, 26 Jun 2015 16:27:01 GMT

Sorry. The format is Year/Month/Day H:M:S

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

hmdoan — Fri, 26 Jun 2015 16:28:17 GMT

My stupid error:

The format is in "%Y/%m/%d %H:%M:%S"

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

richgalloway — Fri, 26 Jun 2015 16:47:42 GMT

So when you change your strptime commands to strptime(timestamp, "%Y/%m/%d %H:%M:%S") and strptime(lastmodified, "%Y/%m/%d %H:%M:%S") does it work?

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

richgalloway — Fri, 26 Jun 2015 16:51:22 GMT

So when you change your strptime commands to strptime(timestamp, "%Y/%m/%d %H:%M:%S") and strptime(lastmodified, "%Y/%m/%d %H:%M:%S") does it work?

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

richgalloway — Fri, 26 Jun 2015 16:51:22 GMT

So when you change your strptime commands to strptime(timestamp, "%Y/%m/%d %H:%M:%S") and strptime(lastmodified, "%Y/%m/%d %H:%M:%S") does it work?

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

richgalloway — Fri, 26 Jun 2015 16:55:41 GMT

You say your timestamps are in "d/m/Y" format, but your strptime commands are using "m/d/Y" format. Which is the correct format?

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

hmdoan — Fri, 26 Jun 2015 16:55:42 GMT

Thanks! That was it. I had the wrong date format. Once I fixed that, the search worked great. Typo on my part.

Re: How do I do mathematical operations (subtraction) with two timestamps in the same event?

hmdoan — Tue, 30 Jun 2015 21:57:54 GMT

Yes - once i changed my time formatting to be consistent, it worked. The dangers of cut-n-paste!!! 🙂