Re: Date time difference

vaibhavagg2006 · ‎12-24-2012

Hi,
I am having events with start datetime and end datetime in it.I want to calculate difference between them in the format:- Number of days-number of hours-number of minutes-no of seconds-number of miliseconds

The date format is as mentioned below
Startdate :- 12/24/2012 02-13-41.224
Enddate :- 12/24/2012 02-14-46.330
I tried various convert options but splunk is not calculating the difference and not able to convert datetime in epoch format.Everytime it displays blank values.
Any help will be appreciated and useful.

yannK · ‎12-24-2012

If the conversions do not work, is it because they do not go up to the millisecond, or because you cannot revert to days/hour/min/sec/millsec after ?

the long way is to extract all to epochtime using convert and TIMEFORMAT.
```
| convert TIMEFORMAT="%m/%d/%Y %H-%M-%S" mktime(Startdate) AS startdate_epoch

| rex field="Startdate" ".(?<start_millisec>\d+)"
```
eventually keep the milliseconds aside it they are not converted.
do the subtraction.
| eval duration_sec=startdate_epoch-enddate_epoch
| eval duration_millisec=start_millisec-end_millisec
use a giant eval to convert the seconds to days / hour / min /sec, then add the milliseconds + extra seconds.

Drainy · ‎12-26-2012

Don't forget to click the tick mark next to the answer! That way anyone else with the same problem will be able to find this one easily 🙂

vaibhavagg2006 · ‎12-26-2012

This worked. Thankyou.

Date time difference

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation