topic how to find time difference in below format? in Getting Data In

how to find time difference in below format?

manuraj_rajappa — Wed, 30 Sep 2020 03:42:06 GMT

New_Time=2020‎-‎01‎-‎19T15:06:53.134000000Z
Previous_Time=2020‎-‎01‎-‎19T15:06:53.134396700Z

how to find the time difference of above times?

Re: how to find time difference in below format?

gcusello — Mon, 20 Jan 2020 15:23:58 GMT

Hi @manuraj.rajappan@tcs.com,
to find time differences, you have to convert your timestamps in epoch time using eval command and the strptime function, something like this:

your search
| eval diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| ...

Ciao.
Giuseppe

Re: how to find time difference in below format?

richgalloway — Mon, 20 Jan 2020 15:28:51 GMT

To find the difference between times you must first convert them to epoch form.

... | eval nt = strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z"), pt= strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| eval diff = nt - pt
| fieldformat diff = tostring(diff, "duration")
| table diff

Re: how to find time difference in below format?

richgalloway — Mon, 20 Jan 2020 15:49:13 GMT

Please consider changing your user name. We discourage the use of email addresses here to avoid spam.

Re: how to find time difference in below format?

manuraj_rajappa — Mon, 20 Jan 2020 16:04:28 GMT

Am getting blank result while executing query. Please find the screenshot

Re: how to find time difference in below format?

manuraj_rajappa — Mon, 20 Jan 2020 16:05:24 GMT

Am getting blank screen while executing query. (Please find above)

Re: how to find time difference in below format?

gcusello — Wed, 30 Sep 2020 03:46:23 GMT

Hi @manuraj.rajappan@tcs.com,
I think that New_Time and Previous_Time are two field already extracted and present in you logs.
If you haven't them, you have to understand how to extract them from logs or from a correlation.
Can you share two events identifying the above fields?

ciao.
Giuseppe

Re: how to find time difference in below format?

manuraj_rajappa — Mon, 20 Jan 2020 16:23:33 GMT

Both filelds are available already for each event. No issues with this I guess. Need some help 😞

Re: how to find time difference in below format?

manuraj_rajappa — Mon, 20 Jan 2020 16:36:09 GMT

Getting blank result after query. Please advise.

Re: how to find time difference in below format?

gcusello — Mon, 20 Jan 2020 16:38:39 GMT

Hi @manuraj.rajappan@tcs.com,
debug the situation in this way:

index=your_index New_Time=* Previous_Time=*
| table _time New_Time Previous_Time

in this way you can be sure that the fields are in each event

than continue in this way

index=your_index New_Time=* Previous_Time=*
| eval New_epoch_Time=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), Previous_epoch_Time=strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| table _time New_Time Previous_Time New_epoch_Time Previous_epoch_Time diff

In this way you can see if the conversion in epoch time is correct.

Ciao.
Giuseppe

Re: how to find time difference in below format?

vnravikumar — Tue, 21 Jan 2020 04:44:25 GMT

Check this

| makeresults 
| eval New_Time="2020-01-19T15:06:53.134000000Z",Previous_Time="2020-01-19T15:06:53.134396700Z" 
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") 
| fieldformat diff = tostring(diff, "duration") 
| table diff