topic How to subtract miliseconds from _time ? in Splunk Search

How to subtract miliseconds from _time ?

zacksoft — Wed, 30 Sep 2020 04:49:30 GMT

I have a field serv_time = 44432 in miliseconds.
and the default field _time.
I want to be able to subtract _time - serv_time (_time minus - serv-time)

and get the result in a human readable format ?

Re: How to subtract miliseconds from _time ?

memarshall63 — Fri, 03 Apr 2020 13:36:19 GMT

_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:

| makeresults 
| eval serv_time = 44432
| eval epoch_time = _time 
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000) 
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")

Re: How to subtract miliseconds from _time ?

zacksoft — Fri, 03 Apr 2020 15:29:46 GMT

I'm not getting the expected result. I am not getting the subtracted time.

 index="bayseian" source="/apps/runner/mahem/logs/sachin.out" | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds

     | eval serv_time = boot_time
 | eval epoch_time = _time 
 | eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
 | eval sub_time = epoch_time - (boot_time/1000) 
 | eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
 | eval sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")

 | table human_time sub_time

Re: How to subtract miliseconds from _time ?

memarshall63 — Wed, 30 Sep 2020 04:52:06 GMT

@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.

If you change your last line to display:

|table human_epoch_time sub_time human_time

You should see the diff between human_epoch_time and sub_time