https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451137#M78232 <P>Great! </P> <P>How does this look? You're correct. The sessionIDs would be the same!</P> <P>cf_app_name="my-app-services" "msg.platform"=iOS "msg.level"=INFO <BR /> | rex field="msg.message" "\s+-\s+Time:\s+(?[^\"]+)" <BR /> | eval Time = strptime(Time, "%H:%M:%S") <BR /> | stats range(Time) AS duration list(*) AS * BY sessionID <BR /> | where duration &gt; 60</P> <P>Doesn't the rex field need to be "msg.message" according to my example above?</P> Tue, 29 Sep 2020 23:16:05 GMT imservicesbg 2020-09-29T23:16:05Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451134#M78229 <P>Hello friends,</P> <P>Say I have two index events that return string messages such as:</P> <P>SCHEDULE - SUCCESS - Time: 05:12:02<BR /> AUTH - SUCCESS - Time: 05:14:01</P> <P>Here are the example events:</P> <P>EVENT 1 - </P> <PRE><CODE>{ "cf_app_id":"345345345345", "cf_app_name":"my-app-services", "job_index":"b4853c36-6ecd-4902-9eb6xxxxxxxxx", "message_type":"OUT", "msg":{ "component":"MyApp", "device":"iPhone", "deviceID":"3534534534534", "level":"INFO", "levelindicator":"✏️", "message":"SCHEDULE - SUCCESS - Time: 05:12:02", "osversion":"12.0.1", "platform":"iOS", "reference":"Logger.swift|info|31", "sessionID":"234234234234", "username":"N/A", "version":"5.1.0" }, "origin":"rep", "source_instance":"0", "source_type":"APP/PROC/WEB", "timestamp":1549302723595711849 } </CODE></PRE> <P>EVENT 2 - </P> <PRE><CODE>{ "cf_app_id":"34534534532", "cf_app_name":"my-app-services", "job_index":"b4853c36-6ecd-4902-9eb6zzzzzzz", "message_type":"OUT", "msg":{ "component":"MyApp", "device":"iPhone", "deviceID":"345435345345", "level":"INFO", "levelindicator":"✏️", "message":"AUTH - SUCCESS - Time: 05:14:01", "osversion":"12.0.1", "platform":"iOS", "reference":"Logger.swift|info|31", "sessionID":"6456464564", "username":"N/A", "version":"5.1.0" }, "origin":"rep", "source_instance":"0", "source_type":"APP/PROC/WEB", "timestamp":567567567567 } </CODE></PRE> <P>The logic here is, Splunk is reporting a successful SCHEDULE service call and adding a JS timestamp from Date() to "msg.message". Then comes an AUTHORIZATION success call a couple minutes later and does the same thing with a Date() timestamp to "msg.message". </P> <P>What I want to do:</P> <P>I want to take the timestamps out of each like so:</P> <P>05:14:01 and 05:12:02 and then subtract those to find the difference of 2:01. Then create a panel that shows all comparisons like that which are over 1 minute in duration. </P> <P>Is this even possible? What kind of search param would I use to find the substring with Splunk and find the time difference which creates my panel? I hope this is clear in what I am trying to do. Should I use compare?</P> <P>Thank you!</P> Mon, 11 Feb 2019 19:43:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451134#M78229 imservicesbg 2019-02-11T19:43:07Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451135#M78230 <P>If you refer to <A href="https://answers.splunk.com/answers/613695/converting-hmmss-into-hour-minutes-and-seconds.html">https://answers.splunk.com/answers/613695/converting-hmmss-into-hour-minutes-and-seconds.html</A> the dur2sec might be an option here...however that might fail when your close to midnight in which case strptime might work.</P> <P>strptime to convert to epoch, minus the two epoch values, then convert back into a duration with an:<BR /> | eval duration=tostring(differencevalue,"duration")</P> <P>Sorry don't have time to write a full answer this morning...</P> Mon, 11 Feb 2019 21:56:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451135#M78230 gjanders 2019-02-11T21:56:57Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451136#M78231 <P>Like this:</P> <PRE><CODE>index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo | rex field=msg.message "\s+-\s+Time:\s+(?&lt;Time&gt;[^\"]+)" | eval Time = strptime(Time, "%H:%M:%S") | stats range(Time) AS duration list(*) AS * BY sessionID | where duration &gt; 60 </CODE></PRE> <P>This is assuming that the events share a common <CODE>sessoinID</CODE> value (which your events, as shown, do not). If this is a mistake, switch that out for the field that does correlate the 2 events.</P> Tue, 12 Feb 2019 02:03:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451136#M78231 woodcock 2019-02-12T02:03:32Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451137#M78232 <P>Great! </P> <P>How does this look? You're correct. The sessionIDs would be the same!</P> <P>cf_app_name="my-app-services" "msg.platform"=iOS "msg.level"=INFO <BR /> | rex field="msg.message" "\s+-\s+Time:\s+(?[^\"]+)" <BR /> | eval Time = strptime(Time, "%H:%M:%S") <BR /> | stats range(Time) AS duration list(*) AS * BY sessionID <BR /> | where duration &gt; 60</P> <P>Doesn't the rex field need to be "msg.message" according to my example above?</P> Tue, 29 Sep 2020 23:16:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451137#M78232 imservicesbg 2020-09-29T23:16:05Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451138#M78233 <P>I updated <CODE>msg.messsage</CODE>. Does it actually work for you? If so, click <CODE>Accept</CODE> to close the question.</P> Wed, 13 Feb 2019 00:29:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-parse-two-string-times-and-compare-and-get-difference/m-p/451138#M78233 woodcock 2019-02-13T00:29:13Z