https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247655#M189138 <P>Getting below Error when i use | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") |<BR /> Not sure what i am missing in eval statement <BR /> Error in 'eval' command: The expression is malformed. Expected ). </P> <P>Query is as below: </P> <P>search|eval 3CMStartTime = _time|table Corr 3CMStartTime|join Corr [search XXXXX|eval 3CMEndTime = _time]|table Corr 3CMStartTime 3CMEndTime|Join Corr [search XXX deliveryTime*]|fields Corr 3CMStartTime 3CMEndTime DeliveryDateTime|table Corr<BR /> 3CMStartTime 3CMEndTime DeliveryDateTime|eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration"))</P> Fri, 26 Aug 2016 04:59:16 GMT samarkumar 2016-08-26T04:59:16Z https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247653#M189136 <P>I am using the below query <BR /> search|eval 3CMStartTime = _time|table Corr 3CMStartTime|join Corr [search XXXXX|eval 3CMEndTime = _time]|table Corr 3CMStartTime 3CMEndTime|Join Corr [search XXX deliveryTime*]|fields Corr 3CMStartTime 3CMEndTime DeliveryDateTime|table Corr <BR /> 3CMStartTime 3CMEndTime DeliveryDateTime|</P> <P>Data is coming as follow: <BR /> Corr 3CMStartTime 3CMEndTime DeliveryDateTime<BR /> XX1 1472157011 1472157012 2016-08-25T13:30:36.823<BR /> XX2 1472156537 1472156541 2016-08-25T13:23:38.59<BR /> XX3 1472156494 1472156494 2016-08-25T13:23:32.39 </P> <P>I need time difference in seconds for below: </P> <P>Eval diffr1=3CMEndTime - 3CMStartTime </P> <P>eval diffr2=DeliveryDateTime-3CMEndTime </P> <P>i was trying </P> <P>eval TimeDifference = strftime((EpochTime(3CMEndTime) - EpochTime(3CMStartTime )) , "%H:%M:%S")</P> <P>but getting below error "Error in 'eval' command: The expression is malformed. Expected ). "</P> <P>Your help will be greatly appreciated. </P> Fri, 26 Aug 2016 04:26:31 GMT https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247653#M189136 samarkumar 2016-08-26T04:26:31Z https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247654#M189137 <P>Your time already appears to be in epoch format, so there is no need to convert it. Also, time difference is in seconds, so strftime is not the right function to format it. Try this</P> <PRE><CODE>.... | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") | ... </CODE></PRE> Fri, 26 Aug 2016 04:44:19 GMT https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247654#M189137 sundareshr 2016-08-26T04:44:19Z https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247655#M189138 <P>Getting below Error when i use | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") |<BR /> Not sure what i am missing in eval statement <BR /> Error in 'eval' command: The expression is malformed. Expected ). </P> <P>Query is as below: </P> <P>search|eval 3CMStartTime = _time|table Corr 3CMStartTime|join Corr [search XXXXX|eval 3CMEndTime = _time]|table Corr 3CMStartTime 3CMEndTime|Join Corr [search XXX deliveryTime*]|fields Corr 3CMStartTime 3CMEndTime DeliveryDateTime|table Corr<BR /> 3CMStartTime 3CMEndTime DeliveryDateTime|eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration"))</P> Fri, 26 Aug 2016 04:59:16 GMT https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247655#M189138 samarkumar 2016-08-26T04:59:16Z https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247656#M189139 <P>Try putting your field names within single quotes. Eval statement does not like it when field names start with a number or has special characters in it. So you eval should look like this</P> <PRE><CODE>... | eval TimeDifference = tostring('3CMEndTime'-'3CMStartTime', "duration")) </CODE></PRE> Fri, 26 Aug 2016 14:38:28 GMT https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247656#M189139 sundareshr 2016-08-26T14:38:28Z https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247657#M189140 <P>I discussed with Sundareshr, and found that the below one is working as expected. <BR /> ..| eval TimeDifference = tostring('3CMEndTime'-'3CMStartTime', "duration") | </P> Fri, 26 Aug 2016 14:43:59 GMT https://community.splunk.com/t5/Splunk-Search/Difficulty-to-get-the-time-difference-between-two-event-time/m-p/247657#M189140 samarkumar 2016-08-26T14:43:59Z