Solved: Time difference between 2 fields

nathanluke86 · ‎02-18-2020

How can I get the time difference between two fields below

alt text

TIA

skoelpin · ‎02-18-2020

Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec

| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")

View solution in original post

manjunathmeti · ‎02-18-2020

Use:

| eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")

Sample query:

| makeresults | eval time="02/18/20 12:00:45",  timenow="02/18/20 14:12:32" | eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")

nathanluke86 · ‎02-18-2020

Thanks @manjunathmeti

skoelpin · ‎02-18-2020

Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec

| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")

nathanluke86 · ‎02-18-2020

Thankyou @skoelpin

Time difference between 2 fields

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

Time difference between 2 fields

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!