topic Re: How to find the time difference in hours between the _time of two different fields ? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245668#M73229 <P>Thanks @cusello. What if i have something as below </P> <P>| convert ctime(a) timeformat="%H:%M" | convert ctime(stdev) timeformat="%H:%M" | convert ctime(y) timeformat="%H:%M" </P> <P>How can i have the difference of y and a interms of %H:%M?</P> Wed, 23 Nov 2016 15:30:47 GMT pavanae 2016-11-23T15:30:47Z How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245663#M73224 <P>I'm going crazy of calculating the difference between two fields which has epoch time. The following is my Query</P> <P>Updated :-</P> <P>foo | convert ctime(_time) as Date_and_Time|convert timeformat="%m/%d/%Y %H:%M:%S" mktime(_time) as time |eventstats range(time) as duration by user| stats avg(duration) as avgDurationPeruser by user| eval Total_time_spent(out_of_school)=tostring(ceil(avgDurationPeruser), "duration") | table user Total_AccessTime Total_time_spent(out_of_school)</P> Tue, 29 Sep 2020 11:55:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245663#M73224 pavanae 2020-09-29T11:55:00Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245664#M73225 <P>Try this:<BR /> <A href="https://answers.splunk.com/answers/293049/calculating-the-time-difference-between-fields-how.html">https://answers.splunk.com/answers/293049/calculating-the-time-difference-between-fields-how.html</A></P> Wed, 23 Nov 2016 03:41:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245664#M73225 mrgibbon 2016-11-23T03:41:43Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245665#M73226 <P>Hi pavanae,<BR /> sorry but I don't understand your question: the eval command correctly runs and gives the number of days between now() and the event's _time.<BR /> In addition I don't understand the last "if" of your search, because it's incomplete.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 23 Nov 2016 08:43:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245665#M73226 gcusello 2016-11-23T08:43:16Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245666#M73227 <P>Sorry for posting the wrong Query. please find the updated Query. @cusello</P> Wed, 23 Nov 2016 13:25:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245666#M73227 pavanae 2016-11-23T13:25:32Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245667#M73228 <P>Which are the fields to calculate difference?<BR /> every way, you have to transform both the fields in epochtime</P> <PRE><CODE>| eval time1=strptime(time1,"%Y-%m-%d %H:%M:%S"), time2=strptime(time2,"%Y-%m-%d %H:%M:%S") | eval diff=time1-time2 </CODE></PRE> <P>speculating that time format is %Y-%m-%d %H:%M:%S<BR /> _time is already in epochtime.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 23 Nov 2016 13:39:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245667#M73228 gcusello 2016-11-23T13:39:23Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245668#M73229 <P>Thanks @cusello. What if i have something as below </P> <P>| convert ctime(a) timeformat="%H:%M" | convert ctime(stdev) timeformat="%H:%M" | convert ctime(y) timeformat="%H:%M" </P> <P>How can i have the difference of y and a interms of %H:%M?</P> Wed, 23 Nov 2016 15:30:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245668#M73229 pavanae 2016-11-23T15:30:47Z Re: How to find the time difference in hours between the _time of two different fields ? https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245669#M73230 <P>You can use</P> <PRE><CODE>| eval y=tostring(y,"duration") </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 23 Nov 2016 15:34:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-the-time-difference-in-hours-between-the-time-of-two/m-p/245669#M73230 gcusello 2016-11-23T15:34:39Z