https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432474#M123585 <P>Please explain how can you strip the time out of 2 epoch times together. Also how can you compare an epoch time result against a regular number ? </P> Wed, 24 Oct 2018 15:50:43 GMT rsokolova 2018-10-24T15:50:43Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432471#M123582 <P>Hi,</P> <P>I have a query which returns two columns Time1 which is _time and one more column Time 2 which is user calculated time available in the event as below,</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5665i2593B2DF9375901B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Query used </P> <PRE><CODE>index=data |eval GetdateTime = date + " " + gettime | timechart span=5m last(GetdateTime) as Time2 by server </CODE></PRE> <P>Query returns the last date logged in event by server. I have to identify difference between those two time fields which is _time &amp; Time2. How do i find the difference since the format of the fields are different for hours section. _time uses : as separator where in the field available in the column is using . as separator. How do i replace it and then convert it to epochtime in order to find the difference ?</P> <P>I need to define an alert in real time to check if there is a difference in field is more than 10 mins <BR /> Please let me know.</P> Tue, 28 Aug 2018 11:31:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432471#M123582 sangs8788 2018-08-28T11:31:48Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432472#M123583 <P>There is no need to convert _time as it is already in epoch form (it's automatically converted to text when displayed). Use the <CODE>strptime</CODE> function to convert time2 to an epoch then you can subtract the two times to find their difference.</P> <PRE><CODE>index=data |eval GetdateTime = date + " " + gettime | eval Timediff=strptime(GetdateTime, "%Y-%m-%d %H.%M.%S") | where Timediff&gt;600 | ... </CODE></PRE> Tue, 28 Aug 2018 12:13:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432472#M123583 richgalloway 2018-08-28T12:13:17Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432473#M123584 <P>Hi @sangs8788. Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues. Thanks!</P> Tue, 28 Aug 2018 19:35:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432473#M123584 mstjohn_splunk 2018-08-28T19:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432474#M123585 <P>Please explain how can you strip the time out of 2 epoch times together. Also how can you compare an epoch time result against a regular number ? </P> Wed, 24 Oct 2018 15:50:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-difference-between-two-times-which-are-off-by-two/m-p/432474#M123585 rsokolova 2018-10-24T15:50:43Z