Getting Data In

how to find time difference in below format?

manuraj_rajappa
New Member

New_Time=2020‎-‎01‎-‎19T15:06:53.134000000Z
Previous_Time=2020‎-‎01‎-‎19T15:06:53.134396700Z

how to find the time difference of above times?

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval New_Time="2020-01-19T15:06:53.134000000Z",Previous_Time="2020-01-19T15:06:53.134396700Z" 
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") 
| fieldformat diff = tostring(diff, "duration") 
| table diff
0 Karma

manuraj_rajappa
New Member

alt text

Am getting blank result while executing query. Please find the screenshot

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please consider changing your user name. We discourage the use of email addresses here to avoid spam.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

To find the difference between times you must first convert them to epoch form.

... | eval nt = strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z"), pt= strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| eval diff = nt - pt
| fieldformat diff = tostring(diff, "duration")
| table diff
---
If this reply helps you, Karma would be appreciated.
0 Karma

manuraj_rajappa
New Member

Getting blank result after query. Please advise.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @manuraj.rajappan@tcs.com,
to find time differences, you have to convert your timestamps in epoch time using eval command and the strptime function, something like this:

your search
| eval diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| ...

Ciao.
Giuseppe

0 Karma

manuraj_rajappa
New Member

Am getting blank screen while executing query. (Please find above)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @manuraj.rajappan@tcs.com,
I think that New_Time and Previous_Time are two field already extracted and present in you logs.
If you haven't them, you have to understand how to extract them from logs or from a correlation.
Can you share two events identifying the above fields?

ciao.
Giuseppe

0 Karma

manuraj_rajappa
New Member

Both filelds are available already for each event. No issues with this I guess. Need some help 😞

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @manuraj.rajappan@tcs.com,
debug the situation in this way:

index=your_index New_Time=* Previous_Time=*
| table _time New_Time Previous_Time 

in this way you can be sure that the fields are in each event

than continue in this way

index=your_index New_Time=* Previous_Time=*
| eval New_epoch_Time=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), Previous_epoch_Time=strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| table _time New_Time Previous_Time New_epoch_Time Previous_epoch_Time diff

In this way you can see if the conversion in epoch time is correct.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...