Re: convert dateTime and calculate difference

AzmathShaik · ‎05-10-2023

i have a field as createddate where the DateTime format is as below
2023-02-28T21:55:35.646-08:00
2022-03-24T02:42:16.983-07:00
i'm trying to calculate the difference between now and createddate. can some help me in doing so. i tried to convert createddate and get the difference but no luck

Thanks in advance

richgalloway · ‎05-10-2023

Try this set of SPL commands

| eval time=strptime(createddate,"%Y-%m-%dT%H:%M:%S.%3N%:z")
| eval diff=now()-time

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎05-10-2023

| eval _time=strptime(createddate,"%FT%T.%3N%:z")
| eval diff=now()-_time

AzmathShaik · ‎05-10-2023

unfortunately it is not extracting the values

bowesmana · ‎05-10-2023

That syntax is correct - here's an example using your data and ITWhisperer's solution

| makeresults 
| fields - _time 
| eval createddate=split("2023-02-28T21:55:35.646-08:00,2022-03-24T02:42:16.983-07:00", ",")
| mvexpand createddate
``` Suggested solution ```
| eval _time=strptime(createddate,"%FT%T.%3N%:z")
| eval diff=now()-_time

so if it's not extracting then either you don't have a field called createddate or it is not in the format you suggest.

Can you post your SPL and an screenshot of your data.

How to convert dateTime and calculate difference?

dashboard

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

How to convert dateTime and calculate difference?

dashboard

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2