https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345768#M102429 <P>Hi damien_chillet, I managed to get a desired value by following your suggestion, but now I get a result as 09:11:00.000000 instead of 09:11:00</P> <P>I am trying to calculate difference between 2 time ranges 3/27/2018 14:01 and 3/27/2018 23:12.</P> <P>am I missing something?</P> Thu, 14 Jun 2018 15:38:28 GMT pheonix101 2018-06-14T15:38:28Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345764#M102425 <P>I'm working on identifying which hosts are located in which time zone as the client does not have an inventory list and they have devices all around the globe.<BR /> I'm calculating the difference between the _time that was extracted from the log and _indextime to establish the difference between them, which will be a good indication of how many time zones the devices is away. <BR /> I get values of ranges around 0-15, around 3600 and around 7200, which is expected. <BR /> Now when I try to use strftime to express that difference into a readable format it always adds 1 hour to it. </P> Mon, 16 Apr 2018 14:34:26 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345764#M102425 MedralaG 2018-04-16T14:34:26Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345765#M102426 <P>Don't use strftime to deal with durations, use the following (where diff is your difference value in seconds):</P> <PRE><CODE> | eval diff=tostring(diff, "duration") </CODE></PRE> Mon, 16 Apr 2018 14:41:48 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345765#M102426 damien_chillet 2018-04-16T14:41:48Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345766#M102427 <P>Nice one, thank you. </P> Mon, 16 Apr 2018 15:59:20 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345766#M102427 MedralaG 2018-04-16T15:59:20Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345767#M102428 <P>You welcome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 16 Apr 2018 16:05:57 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345767#M102428 damien_chillet 2018-04-16T16:05:57Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345768#M102429 <P>Hi damien_chillet, I managed to get a desired value by following your suggestion, but now I get a result as 09:11:00.000000 instead of 09:11:00</P> <P>I am trying to calculate difference between 2 time ranges 3/27/2018 14:01 and 3/27/2018 23:12.</P> <P>am I missing something?</P> Thu, 14 Jun 2018 15:38:28 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345768#M102429 pheonix101 2018-06-14T15:38:28Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345769#M102430 <P>Hi damien_chillet,</P> <P>i managed to get a desired result by following your suggestion, </P> <P>I am trying to calculate difference between 2 time ranges 3/27/2018 14:01 and 3/27/2018 23:12, but I get a result as 09:11:00.000000 instead of 09:11:00</P> <P>query: </P> <P>index=myindex| eval submit=strptime(in, "%m/%d/%Y %H:%M") | eval response=strptime(out, "%m/%d/%Y %H:%M") | eval Total=response-submit | eval Ntotal=tostring(Total,"duration") </P> <P>please advise.</P> Thu, 14 Jun 2018 15:42:12 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345769#M102430 pheonix101 2018-06-14T15:42:12Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345770#M102431 <P>whats is your string?</P> Fri, 15 Jun 2018 08:11:44 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345770#M102431 MedralaG 2018-06-15T08:11:44Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345771#M102432 <P>time ranges 3/27/2018 14:01 and 3/27/2018 23:12</P> <P>index=myindex| eval submit=strptime(in, "%m/%d/%Y %H:%M") | eval response=strptime(out, "%m/%d/%Y %H:%M") | eval Total=response-submit | eval Ntotal=tostring(Total,"duration")</P> Fri, 15 Jun 2018 08:34:39 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345771#M102432 pheonix101 2018-06-15T08:34:39Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345772#M102433 <P>hmm, interesting, without spending too much time looking into why it's giving you .0000 you can just do a round command on the Total eval to get rid of those , so:</P> <P>| eval Total=round(response-submit,0)</P> Fri, 15 Jun 2018 08:47:12 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345772#M102433 MedralaG 2018-06-15T08:47:12Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345773#M102434 <P>That did the trick. Thanks again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 15 Jun 2018 11:24:52 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345773#M102434 pheonix101 2018-06-15T11:24:52Z https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345774#M102435 <P>I am still trying to learn more about splunk functionality, any suggestions on learning Splunk commands (video guides/reference materials) would be helpful.</P> Fri, 15 Jun 2018 11:31:02 GMT https://community.splunk.com/t5/Splunk-Search/Strftime-adds-1-hour-after-converting/m-p/345774#M102435 pheonix101 2018-06-15T11:31:02Z