How can I get the time difference between two fields below
TIA
Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec
| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")
Use:
| eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")
Sample query:
| makeresults | eval time="02/18/20 12:00:45", timenow="02/18/20 14:12:32" | eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")
Thanks @manjunathmeti
Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec
| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")
Thankyou @skoelpin