Solved: how to convert time format in search query

kirrusk · ‎08-26-2020

could someone please help me to convert the time format.

time: Thu jul 20 18:49:57 2020 (string type)

i'm trying to get 2020-07-20 18:49:57

i want final result to get diff between two dates , like 2020-07-20 18:49:57 - 2020-07-21 18:49:57 (in days)

richgalloway · ‎08-26-2020

To convert time strings into a different format, use a combination of strptime() and strftime().

... | eval newFormat=strftime(strptime(oldformatfield, "%a %b %d %H:%M:%S %Y"), "%Y-%m-%d %H:%M:%S")

To get the difference between two dates, however, you must use the parsed (epoch) form.

... | eval diff = strptime(oldformatfield1, "%a %b %d %H:%M:%S %Y") - strptime(oldformatfield2, "%a %b %d %H:%M:%S %Y")

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-26-2020

To convert time strings into a different format, use a combination of strptime() and strftime().

... | eval newFormat=strftime(strptime(oldformatfield, "%a %b %d %H:%M:%S %Y"), "%Y-%m-%d %H:%M:%S")

To get the difference between two dates, however, you must use the parsed (epoch) form.

... | eval diff = strptime(oldformatfield1, "%a %b %d %H:%M:%S %Y") - strptime(oldformatfield2, "%a %b %d %H:%M:%S %Y")

---
If this reply helps you, Karma would be appreciated.

kirrusk · ‎08-26-2020

can u please suggest how to convert the diff values to days

richgalloway · ‎08-26-2020

Let eval do the math for you.

| eval days = diff / 86400

---
If this reply helps you, Karma would be appreciated.

how to convert time format in search query