Archive

epoch time subraction gives negative values

Path Finder

Subtracting two timestamps results in negative values. Using epoch time to find the differences between two timestamp but the results comes in negative values.

index=npp_pe_sumidx_slr003 | streamstats values(Time5) as new, values(Time6) as old | eval duration2=new-old | table new old duration2

   T1                               T2                           Diff       

1521470540.030000 1521470540.290000 -0.260000
1521470596.110000 1521470596.360000 -0.250000
1521470620.090000 1521470620.310000 -0.220000
1521470588.020000 1521470588.240000 -0.220000

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

@kishen2017, the negaive difference in the above example look correct to me.

1521470540.290000 (T2) > 1521470540.030000 (T1). If you compare 29 > 03 and difference is 26. Since you are performing T1-T2 you are expected to get negative values. So you should perform T2-T1 as per your data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

Are you sure you have the fields in the correct order? Perhaps Time5 is old and Time6 is new?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Hi richgalloway,

Timestamp order is correct. Time5 is new and Time6 is old and we want to subtract Time5 - Time6 only. This negative results not coming for all the events..only for specfic events we are getting the negative values. those negative values are updated in ticket

Regards,
Krishna

0 Karma

SplunkTrust
SplunkTrust

Have you verified the values of Time5 and Time6 are the same as what your ticketing system says? If you just need to make sure you don't get a negative value for duration2 use ... | eval duration2=abs(new-old) | ...

---
If this reply helps you, an upvote would be appreciated.
0 Karma