I have the following event
2023-01-25T20:20:45.429989-08:00 abc log-inventory.sh[20519]: Boot timestamp: 2023-01-25 20:15:56
I am trying to extract the Boot timestamp and then calculating the difference between current - Boot timestamp
I used following search
index=abc
| rex field=_raw "Boot\s*timestamp\:\s*(?<Boot_Time>[^.*]+)"
| stats Latest(Boot_Time) as Boot_Time latest(_time) as time by host|eval diff = now() - Boot_Time but it shows no results
I used the below search and it worked
| stats Latest(Boot_Time) as Boot_Time by host
| eval epoch1=strptime(Boot_Time,"%Y-%m-%d %H:%M:%S")
| eval current=now()
| eval ctime=strftime(current,"%Y-%m-%d %H:%M:%S")
| eval diff=tostring(current- epoch1,"duration")
| table host Boot_Time ctime diff
| rename ctime as Current_Time diff as Duration