https://community.splunk.com/t5/Splunk-Search/How-can-I-calculate-the-date-difference-by-two-timestamp/m-p/354880#M104995 <P>Hi all,</P> <P>I want to calculate the difference between dates within two different dates, my search is as below:</P> <P>code 1: </P> <PRE><CODE>| tstats min(_time) as first_time, max(_time) as last_time from datamodel=A by A.tag | eval diff_date= (last_time- first_time)/ 86400 </CODE></PRE> <P>The result of code 1 can get some value, but it is not 100% accurate, for example, if my first_time is 10/23/2017 11:00pm and last_time is 10/24/2017 09:00am, the result I want is 1 day difference, I only focus on the date, but if I use above code, the date difference could be 0, cause it is within 24 hours.</P> <P>code 2:</P> <PRE><CODE>| tstats min(_time) as first_time, max(_time) as last_time from datamodel=A by A.tag | eval first_date = strptime(first_time,"%Y-%m-%d") | eval last_date = strptime(last_time,"%Y-%m-%d") | eval diff = tostring((last_date-first_date), "duration") </CODE></PRE> <P>I did a lot of research and someone mentioned that tostring function can also help. But my problem here is that I can't know why I can't get anything if I use strptime function, but I CAN get the correct date by using strftime function, however, still can't get anything for the diff column.</P> <P>Can anyone Kindly help me on this? I really getting crazy trying to figure out this problem.</P> <P>Thanks very much.</P> <P>S</P> Tue, 29 Sep 2020 17:57:02 GMT sakuraWu1 2020-09-29T17:57:02Z https://community.splunk.com/t5/Splunk-Search/How-can-I-calculate-the-date-difference-by-two-timestamp/m-p/354880#M104995 <P>Hi all,</P> <P>I want to calculate the difference between dates within two different dates, my search is as below:</P> <P>code 1: </P> <PRE><CODE>| tstats min(_time) as first_time, max(_time) as last_time from datamodel=A by A.tag | eval diff_date= (last_time- first_time)/ 86400 </CODE></PRE> <P>The result of code 1 can get some value, but it is not 100% accurate, for example, if my first_time is 10/23/2017 11:00pm and last_time is 10/24/2017 09:00am, the result I want is 1 day difference, I only focus on the date, but if I use above code, the date difference could be 0, cause it is within 24 hours.</P> <P>code 2:</P> <PRE><CODE>| tstats min(_time) as first_time, max(_time) as last_time from datamodel=A by A.tag | eval first_date = strptime(first_time,"%Y-%m-%d") | eval last_date = strptime(last_time,"%Y-%m-%d") | eval diff = tostring((last_date-first_date), "duration") </CODE></PRE> <P>I did a lot of research and someone mentioned that tostring function can also help. But my problem here is that I can't know why I can't get anything if I use strptime function, but I CAN get the correct date by using strftime function, however, still can't get anything for the diff column.</P> <P>Can anyone Kindly help me on this? I really getting crazy trying to figure out this problem.</P> <P>Thanks very much.</P> <P>S</P> Tue, 29 Sep 2020 17:57:02 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-calculate-the-date-difference-by-two-timestamp/m-p/354880#M104995 sakuraWu1 2020-09-29T17:57:02Z https://community.splunk.com/t5/Splunk-Search/How-can-I-calculate-the-date-difference-by-two-timestamp/m-p/354881#M104996 <P>Code 1 <CODE>eval first_date = strftime(first_time,"%Y-%m-%d-%H") | eval last_date = strftime(last_time,"%Y-%m-%d-%H")|eval firstdate = strptime(first_date,"%Y-%m-%d")|eval lastdate = strptime(last_date,"%Y-%m-%d-%H")|eval diff_date=(lastdate-firstdate)/86400 | fields diff_date</CODE></P> <P>You can shorten the query of course, but remove |fields to see all fields and the calculations</P> Sat, 03 Feb 2018 11:54:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-calculate-the-date-difference-by-two-timestamp/m-p/354881#M104996 Sukisen1981 2018-02-03T11:54:46Z