I want to calculate the time difference between two fields, so I tried the below query, but it didn't work.
Please correct my query.
index=service | eval Time=strptime(time, "%Y/%m/%d %H:%M:%S") | eval LastSync=strptime(lastSync, "%Y/%m/%d %H:%M:%S") | eval diff=LastSync-Time | table _time,lastSync,diff,| sort -time
Here is the sample event.
2017/04/26 22:43:29 operationid="1493246609" unitid="123456" easid="AAAAAAAAAA" deviceid="11111@123456" firstSync="2017/03/21 23:53:41" lastSync="2017/03/22 08:54:04" status="Quarantined" type="" userAgent="sample.com" apiname="apitest" message="MatchedStandard_mail."
I want to calculate time difference between _time(2017/04/26 22:43:29 in this case) and lastSync(2017/03/22 08:54:04 in this case).
When I ran the query, the result came out to be like this. (See below)
_time lastSync diff
2017/04/26 22:43:29 2017/03/22 08:54:04
It seems like the eval calculation didn't work we,, so the "diff" field could't get a value.
In case, I changed "strptime" to "strftime", but I got the same result.
If there is other way to fix it, please let me know.
You don't need to convert _time field -
index=service | eval Time=_time | eval LastSync=strptime(lastSync, "%Y/%m/%d %H:%M:%S") | eval diff=LastSync-Time | table _time,lastSync,diff,| sort -_time
The new eval "Time" is also not being used or sorted. Everything is going towards the original _time.
Im not sure if thats how it was meant to be or not.
Also, I added this comment to @dineshraj9 instead of the question creator. Sorry : )