Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I find the difference in days between two timestamps in this format?

Makinde
New Member
‎03-29-2016 09:32 AM

Hi,

I would like to find out the difference in days between two timestamps however the time format is a little weird.

This is the time format: 2016-03-19T15:05:40Z

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-29-2016 11:11 AM

Probably easier to explain with an example. See below:

| stats count
| eval t1_string = "2016-03-19T15:05:40Z"
| eval t2_string = "2016-03-20T16:06:41Z"
| eval t1 = strptime(t1_string, "%Y-%m-%dT%H:%M:%SZ")
| eval t2 = strptime(t2_string, "%Y-%m-%dT%H:%M:%SZ")
| eval diffInSecs = t2 - t1
| eval diffInDuration = tostring(t2 - t1 , "duration")
| table t1_string, t2_string, diff*

Output:

t1_string   t2_string   diffInDuration  diffInSecs
2016-03-19T15:05:40Z    2016-03-20T16:06:41Z    1+01:01:01.000000   90061.000000

Let me know if that helps

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-29-2016 11:11 AM

Probably easier to explain with an example. See below:

| stats count
| eval t1_string = "2016-03-19T15:05:40Z"
| eval t2_string = "2016-03-20T16:06:41Z"
| eval t1 = strptime(t1_string, "%Y-%m-%dT%H:%M:%SZ")
| eval t2 = strptime(t2_string, "%Y-%m-%dT%H:%M:%SZ")
| eval diffInSecs = t2 - t1
| eval diffInDuration = tostring(t2 - t1 , "duration")
| table t1_string, t2_string, diff*

Output:

t1_string   t2_string   diffInDuration  diffInSecs
2016-03-19T15:05:40Z    2016-03-20T16:06:41Z    1+01:01:01.000000   90061.000000

Let me know if that helps

Reply
Solved! Jump to solution

Makinde
New Member
‎03-30-2016 11:14 AM

Thanks Javiergn

This seems to work, however how can round up the duration value to the nearest days so instead of 1+01:01:01 how can I round it off to one day and if larger than 12 hrs round it off 2 days

Secondly I would like to do a stats average of all the duration value, is that possible? something like this:

... search ... | stats avg(diffInDuration)

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-01-2016 02:35 AM

For the first question I wouldn't use duration in that case, I would simply divide the difference in seconds by 86400 and then use round to round it to the closest integer value. For example:

your search here
| eval diffInSecs = t2 - t1
| eval days = round(diffInSecs/86400, 0)

You can't do a stats avg of duration because it is a string but you can do an average of the time in seconds and then present that as a duration. Hope that makes sense.

yoursearch
| stats avg(diffInSecs) as avgDiffInSecs
| eval avgDiffInDuration = tostring(avgDiffInSecs , "duration")
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...