Hi ,
I want to change the date format and find difference in days from current day .
Date format i have now is ,
Timestamp
10/31/2022 1:28:20 PM
index=s sourcetype=Resources|fillnull
| eval Timestamp=strftime(strptime('Timestamp',"%m/%d/%Y"),"%Y-%m-%d") | eval diff=now()-Timestamp|table Name _time Timestamp diff
Here i am not getting the diff field populated with difference in number of days.It shows as blank .The date format i expect is %Y-%m-%d for timestamp column.
Please help me to achieve this .
In order to do arithmetic on time values they need to be in epoch form so save the epoch time returned by strptime() so you can subtract it from now()
index=s sourcetype=Resources
|fillnull
| eval time=strptime('Timestamp',"%m/%d/%Y")
| eval Timestamp=strftime(time,"%Y-%m-%d")
| eval diff=now()-time
|table Name _time Timestamp diff
In order to do arithmetic on time values they need to be in epoch form so save the epoch time returned by strptime() so you can subtract it from now()
index=s sourcetype=Resources
|fillnull
| eval time=strptime('Timestamp',"%m/%d/%Y")
| eval Timestamp=strftime(time,"%Y-%m-%d")
| eval diff=now()-time
|table Name _time Timestamp diff