Dashboards & Visualizations

How to convert dateTime and calculate difference?

AzmathShaik
Path Finder

i have a field as createddate where the DateTime format is as below
2023-02-28T21:55:35.646-08:00
2022-03-24T02:42:16.983-07:00
i'm trying to calculate the difference between now and createddate. can some help me in doing so. i tried to convert createddate and get the difference but no luck

Thanks in advance

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this set of SPL commands

| eval time=strptime(createddate,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| eval diff=now()-time
---
If this reply helps you, Karma would be appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval _time=strptime(createddate,"%FT%T.%3N%:z")
| eval diff=now()-_time

AzmathShaik
Path Finder

unfortunately it is not extracting the values

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That syntax is correct - here's an example using your data and ITWhisperer's solution

| makeresults 
| fields - _time 
| eval createddate=split("2023-02-28T21:55:35.646-08:00,2022-03-24T02:42:16.983-07:00", ",")
| mvexpand createddate
``` Suggested solution ```
| eval _time=strptime(createddate,"%FT%T.%3N%:z")
| eval diff=now()-_time

so if it's not extracting then either you don't have a field called createddate or it is not in the format you suggest.

Can you post your SPL and an screenshot of your data.

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...