topic Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format? in Getting Data In

How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

rijinc — Wed, 30 Nov 2016 11:03:13 GMT

Submit Date / Creation Date Time Stamp  Incident Response Date Time
09/14/2016 01:14 AM                    09/14/2016 01:19 AM

I was searching many scenarios in the SPLUNK community, but was not able to find a solution for this. We need to find the difference between the two timestamps above, and I need to display the output in minutes, seconds etc.

Is it possible?

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

Richfez — Tue, 29 Sep 2020 11:57:23 GMT

Yes, it is possible.

Without an actual sample of the entire event, this may be slightly off. Also, I don't know if you have it in fields or not, nor what fields it may be. As I look at what you have, I'm going to hope you have two fields, a "submit date time stamp" and a "incident response date time". This is highly likely to be wrong.

... your base search here ... 
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

You will have to fix the fieldnames (submit_date, response_date) or reply with more information about that.

That uses eval strptime to convert the text strings into actual dates/times in unix epoch. That's just seconds, so we subtract them to get the difference and divide by 60 to get minutes.

Here's a run-anywhere example where I create the two fields, then perform the above calculations on them.

* | stats count | eval submit_date="09/14/2016 01:14 AM" | eval response_date="09/14/2016 01:19 AM"
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

Note if you really don't need the difference in seconds you could just simplify:

| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval diff_in_minutes=(response-submit)/60

Happy Splunking!
-Rich

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

sundareshr — Wed, 30 Nov 2016 12:37:57 GMT

You have to convert the time to epochtime before you calculate difference. Try this

.... | eval submit=strptime("Submit Date / Creation Date Time Stamp", "%m/%d/%Y %H:%M %p") | eval response=strptime("Incident Response Date Time", "%m/%d/%Y %H:%M %p") | eval time_diff=response-submit | eval time_diff=tostring(time_diff, "duration")

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

rakeshyv0807 — Wed, 03 Apr 2019 18:24:42 GMT

Hi,

I have similar question and your response was with regards to two different fields but in my case we have only single timestamp field but there are two logs with two different timestamps in that field. How to calculate the difference? Can you kindly help.

See below sample of my logs:

11:01:17.876 AM 2019-04-03 tid:XG5HNBNsbPp8uZis90UWNl9vnqQ DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] entityid:ApplicationName subject:null

2019-04-03 11:01:26,579 tid:XG5HNBNsbPp8uZis90UWNl9vnqQ DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] entityid:ApplicationName subject:JohnDoe

The difference between two logs is the time stamp and subject value where in the first log the subject is null and in the second the subject is user id.

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

Bracha — Tue, 24 Sep 2024 08:44:32 GMT

hi
I have a similar problem
Tried this solution and I get an empty field

|eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60

@Richfez

How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

Bracha — Tue, 24 Sep 2024 08:58:51 GMT

I'm trying to calculate the minute difference between two times
and get an empty field

.........base search here......... |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N") |eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S") |eval diff = (end_time-time_epoch)/60

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

PickleRick — Tue, 24 Sep 2024 09:28:57 GMT

If something doesn't work as you expect step back and check if you're getting right data in to get right data out.

1. After you eval your end_time, does it conatin a proper numerical epoch timestamp?

2. The time_epoch will most definitely _not_ contain proper epoch timestamp. The now() function itself returns what you need. There's no need to strptime() it. In fact it will only break its value since you can't parse a number using your provided time format.

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

Bracha — Tue, 24 Sep 2024 10:36:25 GMT

.........base search here......... |end_time = 2024-09-24 08:17:13.014337+00:00 |eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S") |eval _time = now() |eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S") |eval diff = (time_epoch-end_time)/60

Re: How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

isoutamo — Sat, 28 Sep 2024 15:38:04 GMT

Hi
As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads.

Based on field name you try to convert epoch time to epoch?