Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

epoch time subraction gives negative values

kishen2017
Path Finder
‎03-19-2018 07:00 PM

Subtracting two timestamps results in negative values. Using epoch time to find the differences between two timestamp but the results comes in negative values.

index=npp_pe_sumidx_slr003 | streamstats values(Time5) as new, values(Time6) as old | eval duration2=new-old | table new old duration2 

   T1                               T2                           Diff

1521470540.030000 1521470540.290000 -0.260000
1521470596.110000 1521470596.360000 -0.250000
1521470620.090000 1521470620.310000 -0.220000
1521470588.020000 1521470588.240000 -0.220000

Tags (1)
0 Karma
Reply

nanosam
Explorer
‎02-05-2021 07:39 AM

Hi kishen,

did you find the a solution for your problem? I struggle with the same problem at my calculation.

nanosam

0 Karma
Reply

niketn
Legend
‎03-19-2018 11:20 PM

@kishen2017, the negaive difference in the above example look correct to me.

1521470540.290000 (T2) > 1521470540.030000 (T1). If you compare 29 > 03 and difference is 26. Since you are performing T1-T2 you are expected to get negative values. So you should perform T2-T1 as per your data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2018 07:08 PM

Are you sure you have the fields in the correct order? Perhaps Time5 is old and Time6 is new?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kishen2017
Path Finder
‎03-19-2018 07:20 PM

Hi richgalloway,

Timestamp order is correct. Time5 is new and Time6 is old and we want to subtract Time5 - Time6 only. This negative results not coming for all the events..only for specfic events we are getting the negative values. those negative values are updated in ticket

Regards,
Krishna

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-19-2018 08:24 PM

Have you verified the values of Time5 and Time6 are the same as what your ticketing system says? If you just need to make sure you don't get a negative value for duration2 use ... | eval duration2=abs(new-old) | ...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...