https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375581#M162893 <P>Try this run anywhere search:</P> <PRE><CODE>|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")|eval days=round((EndTime-BeginTime)/86400) </CODE></PRE> Wed, 14 Feb 2018 17:42:12 GMT 493669 2018-02-14T17:42:12Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375580#M162892 <P>How would I go about subtracting EndTime from BeginTime?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4386i383D5E610C4BE6C2/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 14 Feb 2018 17:34:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375580#M162892 cotyp 2018-02-14T17:34:00Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375581#M162893 <P>Try this run anywhere search:</P> <PRE><CODE>|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")|eval days=round((EndTime-BeginTime)/86400) </CODE></PRE> Wed, 14 Feb 2018 17:42:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375581#M162893 493669 2018-02-14T17:42:12Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375582#M162894 <P>hello there,<BR /> try this:</P> <PRE><CODE>... your search ... |eval end_time_epoch = strptime(EndTime, "%m/%d/%Y %H:%M:%S") |eval begin_time_epoch = strptime(BeginTime, "%m/%d/%Y %H:%M:%S") | eval duration = end_time_epoch - begin_time_epoch </CODE></PRE> <P>hope it helps</P> Wed, 14 Feb 2018 17:45:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375582#M162894 adonio 2018-02-14T17:45:00Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375583#M162895 <P>how would you go about getting results in minutes?</P> Wed, 14 Feb 2018 20:38:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375583#M162895 cotyp 2018-02-14T20:38:35Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375584#M162896 <P>How would I make the epoch time human readable? Results to display in a manner such as, 8d 15 hrs 20 minutes?</P> Wed, 14 Feb 2018 20:39:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375584#M162896 cotyp 2018-02-14T20:39:09Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375585#M162897 <P>try this at the end of your query:</P> <PRE><CODE> | eval "duration_Days+HHMMSS" = tostring(duration, "duration") </CODE></PRE> Wed, 14 Feb 2018 21:20:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375585#M162897 adonio 2018-02-14T21:20:28Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375586#M162898 <P>to get results in min divide the difference(in sec.) by 60</P> <PRE><CODE>...|eval minutes=round((EndTime-BeginTime)/60) </CODE></PRE> Thu, 15 Feb 2018 03:02:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375586#M162898 493669 2018-02-15T03:02:47Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375587#M162899 <P>if you want duration in <CODE>day</CODE> <CODE>hr</CODE> and <CODE>min</CODE> then try this run anywhere search:</P> <PRE><CODE>|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")| eval stringSecs = tostring((EndTime-BeginTime), "duration")| eval stringSecss = replace(stringSecs,"(\d+)\+(\d+)\:(\d+)\:.*","\1d \2h \3min ") </CODE></PRE> Thu, 15 Feb 2018 03:30:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375587#M162899 493669 2018-02-15T03:30:00Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375588#M162900 <P>thank you!</P> Thu, 15 Feb 2018 14:13:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375588#M162900 cotyp 2018-02-15T14:13:12Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375589#M162901 <P>Glad to help you:) Please accept the answer as well.</P> Thu, 15 Feb 2018 14:16:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-two-time-fields/m-p/375589#M162901 493669 2018-02-15T14:16:57Z