Re: Time differece

aquillius · ‎03-18-2014

How to get the total hours rendered if i have fields start_time and end_time

ex. 09:00-18:00 = 9

somesoni2 · ‎03-19-2014

As suggested by @linu1988, you would have to convert your start_time and end_time to epoch for it. Try this.

your base search ..| eval time_diff=floor(strptime(start_time,"%H:%M")-strptime(end_time,"%H:%M")/3600) | ..rest of the search

Also note that you may have to adjust timestamp format for strptime command. Based on your sample values (09:00, 18:00) its "%H:%M". The format should be exactly as in your field value.

linu1988 · ‎03-19-2014

Hello,
You need to do some query. if you have the time in epoch format the work is easier or you need to convert them to epoch and then get the time difference.

source=x |eval start=strptime("%m/%d/%Y %H:%M:%S,start_time )|eval end=strptime("%m/%d/%Y %H:%M:%S",end_time)|eval hr=(end-start)/3600|eval hr=floor(hr)

for minutes and second you need to calculate. The difference will not give you the correct result if direct the convert it using strftime().

Thanks

joebensimo · ‎03-18-2014

In your example, are the 09:00 and 18:00 elapsed time or time of day?

Time differece

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation