Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate the difference between two time fields within a single event

migquinn
Engager
‎01-22-2020 10:29 PM

I have two time fields in a single event that I need to calculate the difference between and then display said difference in a table.

The two fields and time formats are below:

Time Created - Wed, 18 Dec 2019 19:23:56 -0500
Time Assigned - Wed, 18 Dec 2019 19:36:00 -0500

I would also like to then display the average of the difference for the other events, for example, if I have 10 events, I'd like the average time of the 10 differences.

Thanks in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-22-2020 10:58 PM

Hi @migquinn,
for first question you have to convert dates in epochtime using eval command and strptime funcion, but first rename fileds without spaces:

your_search
| rename "Time Created" AS Time_Created "Time Assigned" AS Time_Assigned
| eval diff=strptime(Time_Created,"%a, %d %b %Y %H:%M:%S %z")  - strptime(Time_Assigned,"%a, %d %b %Y %H:%M:%S %z") 
| table Time_Created Time_Assigned diff

About the average:

your_search
| rename "Time Created" AS Time_Created "Time Assigned" AS Time_Assigned
| eval diff=strptime(Time_Created,"%a, %d %b %Y %H:%M:%S %z")  - strptime(Time_Assigned,"%a, %d %b %Y %H:%M:%S %z") 
| stats avg(diff) AS Average

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-22-2020 10:58 PM

Hi @migquinn,
for first question you have to convert dates in epochtime using eval command and strptime funcion, but first rename fileds without spaces:

your_search
| rename "Time Created" AS Time_Created "Time Assigned" AS Time_Assigned
| eval diff=strptime(Time_Created,"%a, %d %b %Y %H:%M:%S %z")  - strptime(Time_Assigned,"%a, %d %b %Y %H:%M:%S %z") 
| table Time_Created Time_Assigned diff

About the average:

your_search
| rename "Time Created" AS Time_Created "Time Assigned" AS Time_Assigned
| eval diff=strptime(Time_Created,"%a, %d %b %Y %H:%M:%S %z")  - strptime(Time_Assigned,"%a, %d %b %Y %H:%M:%S %z") 
| stats avg(diff) AS Average

Ciao.
Giuseppe

Reply
Solved! Jump to solution

migquinn
Engager
‎01-23-2020 08:43 PM

Hi Giuseppe,

Thank you very much, this worked a charm!

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...