New_Time=2020-01-19T15:06:53.134000000Z
Previous_Time=2020-01-19T15:06:53.134396700Z
how to find the time difference of above times?
Hi
Check this
| makeresults
| eval New_Time="2020-01-19T15:06:53.134000000Z",Previous_Time="2020-01-19T15:06:53.134396700Z"
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| fieldformat diff = tostring(diff, "duration")
| table diff
Please consider changing your user name. We discourage the use of email addresses here to avoid spam.
To find the difference between times you must first convert them to epoch form.
... | eval nt = strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z"), pt= strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| eval diff = nt - pt
| fieldformat diff = tostring(diff, "duration")
| table diff
Getting blank result after query. Please advise.
Hi @manuraj.rajappan@tcs.com,
to find time differences, you have to convert your timestamps in epoch time using eval command and the strptime function, something like this:
your search
| eval diff=strptime(New_Time,"%Y-%m-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9N")
| ...
Ciao.
Giuseppe
Am getting blank screen while executing query. (Please find above)
Hi @manuraj.rajappan@tcs.com,
I think that New_Time and Previous_Time are two field already extracted and present in you logs.
If you haven't them, you have to understand how to extract them from logs or from a correlation.
Can you share two events identifying the above fields?
ciao.
Giuseppe
Both filelds are available already for each event. No issues with this I guess. Need some help 😞
Hi @manuraj.rajappan@tcs.com,
debug the situation in this way:
index=your_index New_Time=* Previous_Time=*
| table _time New_Time Previous_Time
in this way you can be sure that the fields are in each event
than continue in this way
index=your_index New_Time=* Previous_Time=*
| eval New_epoch_Time=strptime(New_Time,"%Y-%m-%dT%H:%M:%S.%9N"), Previous_epoch_Time=strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9N"), diff=strptime(New_Time,"%Y-%m-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9N")
| table _time New_Time Previous_Time New_epoch_Time Previous_epoch_Time diff
In this way you can see if the conversion in epoch time is correct.
Ciao.
Giuseppe