https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611658#M212648 <P>Dates can only be compared/calculated in integer (epoch) form.</P><LI-CODE lang="markup">| eval remediation_days = (strptime(last_fixed, "%Y-%m-%dT%H:%M:%S.%3N%Z") - strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z") / 86400) </LI-CODE> Thu, 01 Sep 2022 18:28:46 GMT richgalloway 2022-09-01T18:28:46Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611649#M212641 <P>I have 2 dates</P> <P><A href="https://es-idmesec.splunkcloud.com/en-US/app/search/search?earliest=-30d%40d&amp;latest=now&amp;q=search%20index%20%3D%20tenable%20state%3Dfixed%0A%7C%20table%20asset_hostname%20state%20first_found%20last_fixed%20severity%20plugin.id&amp;display.page.search.mode=fast&amp;dispatch.sample_ratio=1&amp;display.general.type=statistics&amp;display.page.search.tab=statistics&amp;sid=1662054448.224734#" target="_blank" rel="noopener">first_found:&nbsp;<SPAN>2022-08-23T21:08:54.808Z</SPAN></A></P> <P><SPAN><A href="https://es-idmesec.splunkcloud.com/en-US/app/search/search?earliest=-30d%40d&amp;latest=now&amp;q=search%20index%20%3D%20tenable%20state%3Dfixed%0A%7C%20table%20asset_hostname%20state%20first_found%20last_fixed%20severity%20plugin.id&amp;display.page.search.mode=fast&amp;dispatch.sample_ratio=1&amp;display.general.type=statistics&amp;display.page.search.tab=statistics&amp;sid=1662054448.224734#" target="_blank" rel="noopener">last_fixed:2022-08-30T12:56:58.860Z</A></SPAN></P> <P><SPAN>I am trying to calculate the difference in days between (first-found - last_fixed) and dump the result in a new field called "remediation_days"</SPAN></P> <P>&nbsp;</P> Thu, 01 Sep 2022 18:27:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611649#M212641 marceldera 2022-09-01T18:27:30Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611658#M212648 <P>Dates can only be compared/calculated in integer (epoch) form.</P><LI-CODE lang="markup">| eval remediation_days = (strptime(last_fixed, "%Y-%m-%dT%H:%M:%S.%3N%Z") - strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z") / 86400) </LI-CODE> Thu, 01 Sep 2022 18:28:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611658#M212648 richgalloway 2022-09-01T18:28:46Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611671#M212653 <P>It works, however the results come back like this.&nbsp;<SPAN>2419200.000000 even after i do the division.</SPAN></P> Thu, 01 Sep 2022 19:52:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611671#M212653 marceldera 2022-09-01T19:52:13Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611672#M212654 <P>Parens error on my part.</P><LI-CODE lang="markup">| eval remediation_days = (strptime(last_fixed, "%Y-%m-%dT%H:%M:%S.%3N%Z") - strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z")) / 86400</LI-CODE><P>There's also this alternative.</P><P>&nbsp;</P><LI-CODE lang="markup">| eval remediation_secs = strptime(last_fixed, "%Y-%m-%dT%H:%M:%S.%3N%Z") - strptime(first_found, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval remediation_days = round(remediation_secs / 86400, 2)</LI-CODE><P>&nbsp;</P> Thu, 01 Sep 2022 20:02:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-the-difference-between-two-dates/m-p/611672#M212654 richgalloway 2022-09-01T20:02:51Z