How to calculate duration from now with a differen...

power12 · ‎01-27-2023

I have the following event

2023-01-25T20:20:45.429989-08:00 abc log-inventory.sh[20519]: Boot timestamp: 2023-01-25 20:15:56

I am trying to extract the Boot timestamp and then calculating the difference between current - Boot timestamp

I used following search

index=abc
| rex field=_raw "Boot\s*timestamp\:\s*(?<Boot_Time>[^.*]+)"
| stats Latest(Boot_Time) as Boot_Time latest(_time) as time by host|eval diff = now() - Boot_Time but it shows no results

power12 · ‎01-27-2023

I used the below search and it worked

| stats Latest(Boot_Time) as Boot_Time   by host
| eval epoch1=strptime(Boot_Time,"%Y-%m-%d %H:%M:%S") 
| eval current=now()
| eval ctime=strftime(current,"%Y-%m-%d %H:%M:%S")
 | eval diff=tostring(current- epoch1,"duration")
| table host Boot_Time ctime diff
| rename ctime as Current_Time diff as Duration

How to calculate duration from now with a different time field?

other

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms