I am trying to get time difference between 2 timestamps, I have one field deployment_ts
with one value and list of time stamps commit_ts
, i want a list containing the difference for each value in list with the other field eval commit_to_rel = (deployment_ts - commit_ts)
. Bu t I am not getting any result.
here is my query
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%z"))
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ"))
| eval commit_to_rel = (deployment_ts - commit_ts)
| stats list(commit_date), list(commit_ts), list(deployment_ts), list(commit_to_rel)
Can anyone please tell me how to get this done?
here is the picture of results along with the querry.
Hi @dheri,
Try this :
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel = (deployment_ts - commit_ts)
Let me know if that helps.
Cheers,
David
Hi @dheri,
Try this :
index=x application_name="yy-xx-zz" event_type="ev"
| spath path=commits{}.date output=commit_date
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_ts, "%Y-%m-%dT%H:%M:%SZ"))
| mvexpand commit_ts
| eval commit_to_rel = (deployment_ts - commit_ts)
Let me know if that helps.
Cheers,
David
Hi @dheri Was that helpful ? Can you let me know if it worked for you ?
Yes, I was able to expand single event into multiple events.
Awesome ! Great to hear that !
@dheri
Is the date format for deployment_time
and commit_date
are the same? If not, can you please share it else pls try below search?
| makeresults
| eval _raw="{\"deployment_time\": \"2019-06-03T15:41:26Z\",\"commit_date\": \"2019-06-03T15:41:26Z\"}"
| kv
| eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
| eval commit_ts = (strptime(commit_date, "%Y-%m-%dT%H:%M:%SZ"))
| eval commit_to_rel = (deployment_ts - commit_ts)
Just made change in | eval deployment_ts = (strptime(deployment_time, "%Y-%m-%dT%H:%M:%S%Z"))
@kamlesh_vaghela
Yes, there is difference between date format of deployment_time
and commit_date
but they both are converted into unix timestamps, which I can see in result as deployment_ts
and commit_ts
. I tried the query you asked me. Here are the results