https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359810#M162131 <P>Hi richgalloway,</P> <P>Timestamp order is correct. Time5 is new and Time6 is old and we want to subtract Time5 - Time6 only. This negative results not coming for all the events..only for specfic events we are getting the negative values. those negative values are updated in ticket</P> <P>Regards,<BR /> Krishna</P> Tue, 20 Mar 2018 02:20:02 GMT kishen2017 2018-03-20T02:20:02Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359808#M162129 <P>Subtracting two timestamps results in negative values. Using epoch time to find the differences between two timestamp but the results comes in negative values.</P> <P>index=npp_pe_sumidx_slr003 | streamstats values(Time5) as new, values(Time6) as old | eval duration2=new-old | table new old duration2 </P> <PRE><CODE> T1 T2 Diff </CODE></PRE> <P>1521470540.030000 1521470540.290000 -0.260000 <BR /> 1521470596.110000 1521470596.360000 -0.250000 <BR /> 1521470620.090000 1521470620.310000 -0.220000 <BR /> 1521470588.020000 1521470588.240000 -0.220000 </P> Tue, 29 Sep 2020 18:32:37 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359808#M162129 kishen2017 2020-09-29T18:32:37Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359809#M162130 <P>Are you sure you have the fields in the correct order? Perhaps Time5 is old and Time6 is new?</P> Tue, 20 Mar 2018 02:08:41 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359809#M162130 richgalloway 2018-03-20T02:08:41Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359810#M162131 <P>Hi richgalloway,</P> <P>Timestamp order is correct. Time5 is new and Time6 is old and we want to subtract Time5 - Time6 only. This negative results not coming for all the events..only for specfic events we are getting the negative values. those negative values are updated in ticket</P> <P>Regards,<BR /> Krishna</P> Tue, 20 Mar 2018 02:20:02 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359810#M162131 kishen2017 2018-03-20T02:20:02Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359811#M162132 <P>Have you verified the values of Time5 and Time6 are the same as what your ticketing system says? If you just need to make sure you don't get a negative value for duration2 use <CODE>... | eval duration2=abs(new-old) | ...</CODE></P> Tue, 20 Mar 2018 03:24:32 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359811#M162132 richgalloway 2018-03-20T03:24:32Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359812#M162133 <P>@kishen2017, the negaive difference in the above example look correct to me.</P> <P>1521470540.290000 (T2) &gt; 1521470540.030000 (T1). If you compare 29 &gt; 03 and difference is 26. Since you are performing T1-T2 you are expected to get negative values. So you should perform T2-T1 as per your data.</P> Tue, 20 Mar 2018 06:20:45 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/359812#M162133 niketn 2018-03-20T06:20:45Z https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/538789#M162134 <P>Hi kishen,</P><P>did you find the a solution for your problem? I struggle with the same problem at my calculation.</P><P>nanosam</P> Fri, 05 Feb 2021 15:39:22 GMT https://community.splunk.com/t5/Splunk-Search/epoch-time-subraction-gives-negative-values/m-p/538789#M162134 nanosam 2021-02-05T15:39:22Z