https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502056#M139754 <PRE><CODE>index=s_iss sourcetype=S_AD Name=* | eval Last_Date = "2019-09-28 17:09:19" | eval diff=_time - strptime(Last_Date,"%F %T") | eval Last_Date=mvindex(split(Last_Date," "),0) | table _time diff Name Last_Date </CODE></PRE> <P>Why do you calculate <CODE>now()</CODE> and <EM>Last_Date</EM>? <BR /> It is fixed value.</P> <P>This query aims to calculate the <EM>diff</EM> between <EM>_time</EM> and <EM>Last_Date</EM> .<BR /> How about this?</P> Sat, 23 May 2020 22:51:13 GMT to4kawa 2020-05-23T22:51:13Z https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502054#M139752 <P>I tried to difference between 2 dates. It is not working properly.</P> <P>Here is my query,</P> <P>index=s_iss sourcetype=S_AD | fillnull value="" |eval Last_Date="2019-09-28 17:09:19.0"|eval _time="2019-05-21 4:55:00.143" | eval Last_Date=strftime(strptime(Last_Date,"%Y-%m-%d %H:%M:%S.%Q"),"%Y-%m-%d") | eval _time = strptime(_time, "%Y-%m-%d") | eval diff = ( _time - Last_Date)|stats count by Name,Last_Date,_time,diff</P> <P>I need the time difference between Last_date and now() and display as Date.<BR /> Can someone help me out.</P> Wed, 30 Sep 2020 05:29:44 GMT https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502054#M139752 nivethainspire_ 2020-09-30T05:29:44Z https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502055#M139753 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/122614">@nivethainspire_</a>07,<BR /> in you example _time is a variable that you need to convert in epochtime (with strptime), in real events, you don't need to do this convertion because _time is already in epochtime.</P> <P>Then, in your example, you don't calculate the difference between now and Last_Date but the difference between _time and Last_Date.<BR /> Then if you want to use _time in stats, you have to group values (using bin command) before stats or you have to use timechart command.</P> <P>So, if you want the difference between Last_Date and now, you could try something like this.</P> <PRE><CODE>index=s_iss sourcetype=S_AD | fillnull value="" | eval diff=now()-strptime(Last_Date,"%Y-%m-%d %H:%M:%S.%Q") | timechart span=1h latest(diff) AS date by Name </CODE></PRE> <P>Ciao.<BR /> Giuseppe</P> Wed, 30 Sep 2020 05:29:50 GMT https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502055#M139753 gcusello 2020-09-30T05:29:50Z https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502056#M139754 <PRE><CODE>index=s_iss sourcetype=S_AD Name=* | eval Last_Date = "2019-09-28 17:09:19" | eval diff=_time - strptime(Last_Date,"%F %T") | eval Last_Date=mvindex(split(Last_Date," "),0) | table _time diff Name Last_Date </CODE></PRE> <P>Why do you calculate <CODE>now()</CODE> and <EM>Last_Date</EM>? <BR /> It is fixed value.</P> <P>This query aims to calculate the <EM>diff</EM> between <EM>_time</EM> and <EM>Last_Date</EM> .<BR /> How about this?</P> Sat, 23 May 2020 22:51:13 GMT https://community.splunk.com/t5/Splunk-Search/calculate-Difference-between-2-time-fields-is-not-working/m-p/502056#M139754 to4kawa 2020-05-23T22:51:13Z