Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate time difference with extracted fields and offset time zones

mrhodes93
Explorer
‎04-29-2021 12:49 PM

I've got logs that contain a timestamp in 24 hour YYYY-MM-DD HH:MM:ss:SSS format (example: 2021-04-29 18:43:07.557).  The timestamp in this log message is +5 hours ahead of the _time of the event.  

 

So far I've got this much, which extracts the timestamp from the message but I don't know how to go about showing the difference between these two, especially with the five hour offset.  Ideally would just like to show a third value of the difference in the table.  Appreciate any instruction. 

 

sourcetype="PCF:log" cf_app_name=app1 (msg="*message query here*")
| rex field=msg "created on\s+(?<lockTime>\S+\s+\S+)"
| table _time,lockTime

 

_timelockTimeExpected
2021-04-28 12:46:37.3812021-04-28 17:46:33.96100:00:03.420

 

I should mention too that only the time portion, not the date, will need the difference calculated.  The YYYY-MM-DD will always be the same between _time and lockTime. 

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-30-2021 05:27 AM

The only way to calculate a difference between time fields is to convert them into integers using strptime.

sourcetype="PCF:log" cf_app_name=app1 (msg="*message query here*")
| rex field=msg "created on\s+(?<lockTime>\S+\s+\S+)"
| eval elockTime = strptime(lockTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval Expected = elockTime - _time - (5*3600)
| table _time,lockTime, Expected
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-30-2021 05:27 AM

The only way to calculate a difference between time fields is to convert them into integers using strptime.

sourcetype="PCF:log" cf_app_name=app1 (msg="*message query here*")
| rex field=msg "created on\s+(?<lockTime>\S+\s+\S+)"
| eval elockTime = strptime(lockTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval Expected = elockTime - _time - (5*3600)
| table _time,lockTime, Expected
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...