topic Re: How to calculate the difference between two time stamps in a single event? in Getting Data In

How to calculate the difference between two time stamps in a single event?

ambujhbti — Thu, 25 Jun 2015 15:49:25 GMT

Hello all,

This is my first post.

I am trying to calculate time diff between two fields in a single event.

For example:

Time_HTTP_Start: 06/25/2015 09:59:43:586
Time_HTTP_Sent: 06/25/2015 09:59:43:830

My current search:

sourcetype="XXXXXX"   host="XXXXXX" |eval diff= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")- strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")|table diff

I only get an empty result. Can somebody tell me what I am missing? I am sure its very easy for you guys!

Thank you.

Re: How to calculate the difference between two time stamps in a single event?

martin_mueller — Thu, 25 Jun 2015 16:36:31 GMT

First, make sure your fields are extracted correctly:

sourcetype="XXXXXX"   host="XXXXXX" | table _time Time_HTTP_Sent Time_HTTP_Start _raw

Re: How to calculate the difference between two time stamps in a single event?

lguinn2 — Fri, 26 Jun 2015 06:17:42 GMT

I would break it down a little more, just so I could see what is happening:

sourcetype="XXXXXX"   host="XXXXXX" 
| eval sent= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")
| eval start= strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= sent-start
| table Time_HTTP_Sent Time_HTTP_Start sent start diff

Re: How to calculate the difference between two time stamps in a single event?

ambujhbti — Fri, 10 Jul 2015 20:56:14 GMT

Thank you. I have checked it and found that the data was not extracted. Thank you again!

Re: How to calculate the difference between two time stamps in a single event?

ambujhbti — Fri, 10 Jul 2015 20:56:53 GMT

Thank you!