How to calculate duration from now with a differen...

power12 · ‎01-27-2023

I have the following event

2023-01-25T20:20:45.429989-08:00 abc log-inventory.sh[20519]: Boot timestamp: 2023-01-25 20:15:56

I am trying to extract the Boot timestamp and then calculating the difference between current - Boot timestamp

I used following search

index=abc
| rex field=_raw "Boot\s*timestamp\:\s*(?<Boot_Time>[^.*]+)"
| stats Latest(Boot_Time) as Boot_Time latest(_time) as time by host|eval diff = now() - Boot_Time but it shows no results

power12 · ‎01-27-2023

I used the below search and it worked

| stats Latest(Boot_Time) as Boot_Time   by host
| eval epoch1=strptime(Boot_Time,"%Y-%m-%d %H:%M:%S") 
| eval current=now()
| eval ctime=strftime(current,"%Y-%m-%d %H:%M:%S")
 | eval diff=tostring(current- epoch1,"duration")
| table host Boot_Time ctime diff
| rename ctime as Current_Time diff as Duration

How to calculate duration from now with a different time field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation