topic Subtracting two timestamps in Splunk Search

Subtracting two timestamps

guimilare — Fri, 18 Sep 2015 14:08:17 GMT

Hi Splunkers.

I have one issue about subtracting two timestamps.
I have the following fields:

start=20150917 18:28:32.460
end=20150917 18:28:32:500

I tried something like this:

<mysearch> |  eval result_field=end-start

but no lucky.

I need the output as result_field=00:00:00.040.

Can you guys help me?
Thank you!
Best regards.

Re: Subtracting two timestamps

somesoni2 — Fri, 18 Sep 2015 14:15:17 GMT

Try this

<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration")

Updated per new req

<Your search > | eval result_field=strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N") | stats avg(result_field) as result_field | eval result_field=tostring(result_field,"duration")

Re: Subtracting two timestamps

DavidHourani — Fri, 18 Sep 2015 14:19:04 GMT

Hey,

What you're looking for is a tostring conversion.

Simply use the following:

 <mysearch> |  eval result_field=end-start | eval result_field = tostring(result_field,"duration")

Or simply:

<mysearch> |  eval result_field = tostring(end-start,"duration")

Let me know how that works out for you!

Cheers,
David

Re: Subtracting two timestamps

guimilare — Fri, 18 Sep 2015 14:41:23 GMT

Hi Somesoni2,
this appears to work!
How can I get an average from result_field?
I tried to do

 <Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration") | avg(result_field) as Average

but no success.
Regards

Re: Subtracting two timestamps

somesoni2 — Fri, 18 Sep 2015 14:55:49 GMT

The above query generates a string field with the format you requested, so can't get the avg. Try the updated query.

Re: Subtracting two timestamps

sunilsk1 — Tue, 29 Sep 2020 20:25:52 GMT

It still not working for . i have this sample log entry where boot-time for each machine in ENV are reported
I have 2016-05,ENV,R1,W,05/25/16 21:00:00.000,05/26/16 02:00:00.000,05/25/16 23:09:00.000,05/26/16 05:12:00.000,183

Where my "Scheduled End Time" : 05/26/16 02:00:00.000
"Actual End Time" : 05/26/18 05:12:00.000
I wanted the difference in minutes between Actual End Time and Scheduled End time. (192 minutes)

I have tried this approach
{search}|eval ac_end='Actual End Time'|convert mktime(ac_end) as ac_time timeformat="%Y-%m-%d %H:%M:%S"