Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the difference in minutes/seconds between two timestamps in a human readable format?

rijinc
Explorer
‎11-30-2016 03:03 AM 
Submit Date / Creation Date Time Stamp  Incident Response Date Time
09/14/2016 01:14 AM                    09/14/2016 01:19 AM

I was searching many scenarios in the SPLUNK community, but was not able to find a solution for this. We need to find the difference between the two timestamps above, and I need to display the output in minutes, seconds etc.

Is it possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-30-2016 04:37 AM

Yes, it is possible.

Without an actual sample of the entire event, this may be slightly off. Also, I don't know if you have it in fields or not, nor what fields it may be. As I look at what you have, I'm going to hope you have two fields, a "submit date time stamp" and a "incident response date time". This is highly likely to be wrong.

... your base search here ... 
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

You will have to fix the fieldnames (submit_date, response_date) or reply with more information about that.

That uses eval strptime to convert the text strings into actual dates/times in unix epoch. That's just seconds, so we subtract them to get the difference and divide by 60 to get minutes.

Here's a run-anywhere example where I create the two fields, then perform the above calculations on them.

* | stats count | eval submit_date="09/14/2016 01:14 AM" | eval response_date="09/14/2016 01:19 AM"
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

Note if you really don't need the difference in seconds you could just simplify:

| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval diff_in_minutes=(response-submit)/60

Happy Splunking!
-Rich

View solution in original post

Reply
Solved! Jump to solution

Bracha
Path Finder
‎09-24-2024 01:58 AM

I'm trying to calculate the minute difference between two times
and get an empty field

 

.........base search here.........
|eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N")
|eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S")
|eval diff = (end_time-time_epoch)/60

 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-24-2024 02:28 AM

If something doesn't work as you expect step back and check if you're getting right data in to get right data out.

1. After you eval your end_time, does it conatin a proper numerical epoch timestamp?

2. The time_epoch will most definitely _not_ contain proper epoch timestamp. The now() function itself returns what you need. There's no need to strptime() it. In fact it will only break its value since you can't parse a number using your provided time format.

0 Karma
Reply
Solved! Jump to solution

Bracha
Path Finder
‎09-24-2024 03:36 AM

 

.........base search here.........
|end_time = 2024-09-24 08:17:13.014337+00:00
|eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S")
|eval _time = now()
|eval time_epoch = strptime(time_epoch, "%Y:%m:%d %H:%M:%S")
|eval diff = (time_epoch-end_time)/60
0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-30-2016 04:37 AM

You have to convert the time to epochtime before you calculate difference. Try this

.... | eval submit=strptime("Submit Date / Creation Date Time Stamp", "%m/%d/%Y %H:%M %p") | eval response=strptime("Incident Response Date Time", "%m/%d/%Y %H:%M %p") | eval time_diff=response-submit | eval time_diff=tostring(time_diff, "duration")
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎11-30-2016 04:37 AM

Yes, it is possible.

Without an actual sample of the entire event, this may be slightly off. Also, I don't know if you have it in fields or not, nor what fields it may be. As I look at what you have, I'm going to hope you have two fields, a "submit date time stamp" and a "incident response date time". This is highly likely to be wrong.

... your base search here ... 
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

You will have to fix the fieldnames (submit_date, response_date) or reply with more information about that.

That uses eval strptime to convert the text strings into actual dates/times in unix epoch. That's just seconds, so we subtract them to get the difference and divide by 60 to get minutes.

Here's a run-anywhere example where I create the two fields, then perform the above calculations on them.

* | stats count | eval submit_date="09/14/2016 01:14 AM" | eval response_date="09/14/2016 01:19 AM"
| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval difference=response-submit | eval diff_in_minutes=difference/60

Note if you really don't need the difference in seconds you could just simplify:

| eval submit=strptime(submit_date, "%m/%d/%Y %I:%M %p") 
| eval response=strptime(response_date, "%m/%d/%Y %I:%M %p")
| eval diff_in_minutes=(response-submit)/60

Happy Splunking!
-Rich

Reply
Solved! Jump to solution

Bracha
Path Finder
‎09-24-2024 01:42 AM

hi
I have a similar problem
Tried this solution and I get an empty field

 

|eval end_time = strptime(end_time_epoch, "%Y:%m:%d %H:%M:%S:%N")
|eval time_epoch = strptime(now(), "%Y:%m:%d %H:%M:%S")
|eval diff = (end_time-time_epoch)/60

@Richfez 

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-28-2024 08:38 AM
Hi
As this is quite old thread, please create a new question to get answer. I suppose that most of us, didn't read and try to find new comments/questions from old and answered threads.

Based on field name you try to convert epoch time to epoch?
0 Karma
Reply
Solved! Jump to solution

rakeshyv0807
Explorer
‎04-03-2019 11:24 AM

Hi,

I have similar question and your response was with regards to two different fields but in my case we have only single timestamp field but there are two logs with two different timestamps in that field. How to calculate the difference? Can you kindly help.

See below sample of my logs:

11:01:17.876 AM 2019-04-03 tid:XG5HNBNsbPp8uZis90UWNl9vnqQ DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] entityid:ApplicationName subject:null

2019-04-03 11:01:26,579 tid:XG5HNBNsbPp8uZis90UWNl9vnqQ DEBUG [org.sourceid.util.log.internal.TrackingIdSupport] [cross-reference-message] entityid:ApplicationName subject:JohnDoe

The difference between two logs is the time stamp and subject value where in the first log the subject is null and in the second the subject is user id.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top