topic Re: Eval Time_Diff in Splunk Search https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482248#M143328 <P>Is <CODE>date_time</CODE> epoch?</P> Mon, 24 Feb 2020 21:01:39 GMT to4kawa 2020-02-24T21:01:39Z Eval Time_Diff https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482247#M143327 <P>I am having trouble getting a result to appear for the below query. I am trying to produce a column showing time_diff of the lastest timestamp result for lane_RFID subtracted from the time now. The table doesn't show a result for time_diff, but everything else shows properly. Hopefully it is something easy. Thank you.</P> <P>index=*"RFID Message received for:" | stats latest(date_time) by LANE_RFID | eval time_now=now() | eval time_now=strftime(time_now,"%Y/%m/%d %H:%M:%S") | eval time_diff=strftime(time_diff,"%M:%S") | eval time_diff=time_now-date_time| table LANE_RFID time_now latest(date_time) time_diff</P> Wed, 30 Sep 2020 04:24:13 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482247#M143327 cglowjr 2020-09-30T04:24:13Z Re: Eval Time_Diff https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482248#M143328 <P>Is <CODE>date_time</CODE> epoch?</P> Mon, 24 Feb 2020 21:01:39 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482248#M143328 to4kawa 2020-02-24T21:01:39Z Re: Eval Time_Diff https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482249#M143329 <P>date_time is formatted 2020/02/24 16:14:34</P> Mon, 24 Feb 2020 21:23:59 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482249#M143329 cglowjr 2020-02-24T21:23:59Z Re: Eval Time_Diff https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482250#M143330 <PRE><CODE>index=*"RFID Message received for:" | stats latest(date_time) as date_time by LANE_RFID | eval time_now=strftime(now(),"%Y/%m/%d %H:%M:%S") | eval time_diff=now() - strptime(date_time,"%Y/%m/%d %H:%M:%S") | table LANE_RFID time_now date_time time_diff </CODE></PRE> Mon, 24 Feb 2020 22:30:24 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482250#M143330 to4kawa 2020-02-24T22:30:24Z Re: Eval Time_Diff https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482251#M143331 <P>This works wonderfully! Thank you so much!</P> Mon, 24 Feb 2020 22:58:41 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Time-Diff/m-p/482251#M143331 cglowjr 2020-02-24T22:58:41Z