https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498140#M141093 <P>Many thanks for promptness. And how about if it is just date only? </P> <P>Time_Created: 12/20/19<BR /> Time_Closed: 1/1/20</P> <P>To how many days it took.</P> Wed, 30 Sep 2020 04:40:11 GMT mbasharat 2020-09-30T04:40:11Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498138#M141091 <P>Hi,</P> <P>I have two fields in my report. Time_Created and Time_Closed. They are for time an incident ticket was created and then closed.</P> <P>Their format is:</P> <P>Time_Created: 12/20/19 11:30 <BR /> Time_Closed: 1/1/20 16:50 </P> <P>I need to find the difference between both and result in an additional field e.g. Time_to_resolution. </P> <P>Basically, I need to see how long it took to resolve a ticket from its creation to closure.</P> <P>Thanks, in advance!!!</P> Wed, 30 Sep 2020 04:40:10 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498138#M141091 mbasharat 2020-09-30T04:40:10Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498139#M141092 <P>Hi</P> <P>Check this</P> <PRE><CODE>| makeresults | eval Time_Created="12/31/19 11:30",Time_Closed="1/1/20 16:50" | eval temp = tostring(round(strptime(Time_Closed,"%m/%d/%y %H:%M") -strptime(Time_Created,"%m/%d/%y %H:%M"),0),"duration") | eval Time_to_resolution=replace(temp,"(\d*)\+*(\d+):(\d+):(\d+)","\1 days \2 hours \3 minutes \4 secs") |table Time_Created Time_Closed Time_to_resolution </CODE></PRE> Fri, 20 Mar 2020 05:42:42 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498139#M141092 vnravikumar 2020-03-20T05:42:42Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498140#M141093 <P>Many thanks for promptness. And how about if it is just date only? </P> <P>Time_Created: 12/20/19<BR /> Time_Closed: 1/1/20</P> <P>To how many days it took.</P> Wed, 30 Sep 2020 04:40:11 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498140#M141093 mbasharat 2020-09-30T04:40:11Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498141#M141094 <P>Check this</P> <PRE><CODE>| makeresults | eval Time_Created="12/31/19",Time_Closed="1/1/20" | eval temp = tostring(round(strptime(Time_Closed,"%m/%d/%y") -strptime(Time_Created,"%m/%d/%y"),0),"duration") | eval Time_to_resolution=replace(temp,"(\d*)\+*(\d+):(\d+):(\d+)","\1 day(s)") </CODE></PRE> Fri, 20 Mar 2020 06:43:51 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498141#M141094 vnravikumar 2020-03-20T06:43:51Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498142#M141095 <P>This is awesome! TY!!! This triggered my curiosity for some additional chart for my use case. How about converting below to month? Either fields with or without time will work because I am using everything you have provided.</P> <P>Time_Created: 12/20/19 11:30 to MonthCreated=December</P> <P>Time_Closed: 1/1/20 16:50 to MonthClosed=January</P> <P>Case statement or whatever is best as you suggest?</P> Fri, 20 Mar 2020 06:54:27 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498142#M141095 mbasharat 2020-03-20T06:54:27Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498143#M141096 <P>Check this</P> <PRE><CODE>| makeresults | eval Time_Created="12/31/19",Time_Closed="1/1/20" | eval MonthCreated = strftime(strptime(Time_Created,"%m/%d/%y"),"%B"), MonthClosed=strftime(strptime(Time_Closed,"%m/%d/%y"),"%B") </CODE></PRE> Fri, 20 Mar 2020 07:13:04 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498143#M141096 vnravikumar 2020-03-20T07:13:04Z https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498144#M141097 <P>Awesome!!! THANK YOU!!!</P> Fri, 20 Mar 2020 14:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-two-times/m-p/498144#M141097 mbasharat 2020-03-20T14:49:07Z