- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Calcuate time differences
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calcuate time differences
Hi,
Looking out to calculate and find out the time differences between two time stamps (milliseconds and seconds). Please help.
B_Timestamp Minus A_Timestamp (Need to achieve this logic).
A_Timestamp B_Timestamp epoc_ATimestamp epoc_BTimestamp
2017-03-09-11:59:59.799 2017-03-09-11:59:59.817 1488978000.000000 1488978000.000000
2017-03-09-11:59:59.722 2017-03-09-11:59:59.754 1488978000.000000 1488978000.000000
index="idx_sample" | eval DateTime = split(DateTime," ") | eval A_Timestamp = mvindex(DateTime,0) | eval B_Timestamp = mvindex(DateTime,1) | eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d") | eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d") | table A_Timestamp,B_Timestamp,epoc_ATimestamp,epoc_BTimestamp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way is to translate them both into epoch time, which is in seconds already. (Your Epoch timestamps are incorrect.)
| eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d-%H:%M:%S.%3Q")
| eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d-%H:%M:%S.%3Q")
note - %3Q, %3N or %Q will all work to extract the 3-digit millisecond data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this (time format updated).
index="idx_sample" | eval DateTime = split(DateTime," ") | eval A_Timestamp = mvindex(DateTime,0) | eval B_Timestamp = mvindex(DateTime,1) | eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d-%H:%M:%S.%3N") | eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d-%H:%M:%S.%3N") | table A_Timestamp,B_Timestamp,epoc_ATimestamp,epoc_BTimestamp
See this for more information on time formats
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's the difference between %3N and %3Q?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both will be same if a width is specified. I believe in strptime both %N and %Q behave the same. There is a great explanation for this difference in the comments section of the link that I shared.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since the comment section mentioned in this answer is gone from docs but this thread comes up first when googling for splunk strptime %Q %N (at least for me), I'll add a link to a different place where I found an explanation by @DalJeanis : https://community.splunk.com/t5/Splunk-Search/How-can-I-find-the-time-duration-between-two-fields/m-...
Basically, %N and %Q can do the same if you provide them with a length (such as %6N or %3N). Without length specified, %N will default to three and %Q to six digits.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I initially called out %3Q, then assumed yours was right when i couldn't distinguish them in the docs. I'll change mine back.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
