Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the difference between two time stamps in a single event?

ambujhbti
New Member
‎06-25-2015 08:49 AM

Hello all,

This is my first post.

I am trying to calculate time diff between two fields in a single event.

For example: 

Time_HTTP_Start: 06/25/2015 09:59:43:586
Time_HTTP_Sent: 06/25/2015 09:59:43:830

My current search:

sourcetype="XXXXXX"   host="XXXXXX" |eval diff= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")- strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")|table diff

I only get an empty result. Can somebody tell me what I am missing? I am sure its very easy for you guys!

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-25-2015 11:17 PM

I would break it down a little more, just so I could see what is happening:

sourcetype="XXXXXX"   host="XXXXXX" 
| eval sent= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")
| eval start= strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= sent-start
| table Time_HTTP_Sent Time_HTTP_Start sent start diff

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-25-2015 11:17 PM

I would break it down a little more, just so I could see what is happening:

sourcetype="XXXXXX"   host="XXXXXX" 
| eval sent= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")
| eval start= strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= sent-start
| table Time_HTTP_Sent Time_HTTP_Start sent start diff
Reply
Solved! Jump to solution

ambujhbti
New Member
‎07-10-2015 01:56 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-25-2015 09:36 AM

First, make sure your fields are extracted correctly:

sourcetype="XXXXXX"   host="XXXXXX" | table _time Time_HTTP_Sent Time_HTTP_Start _raw
Reply
Solved! Jump to solution

ambujhbti
New Member
‎07-10-2015 01:56 PM

Thank you. I have checked it and found that the data was not extracted. Thank you again!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...