Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculating difference between time of 2 events

TheMorf
New Member
‎10-03-2023 06:07 AM

I am trying to extract the difference of time(duration) of 2 events in days.

I have 2 saperate event for the same ID. One is the starting event and the second is the ending event. Looking as follows.

event1 start:

[2023-05-24 12:02:24.674 CEST_] ID:1234

Event 2 end:

[2023-05-30 6:13:04:954 CEST_] ID:1234

De following query i tried:

Gebeurtenis(=id) =000057927_018448922
|stats min(_time) as start, max(_time) as end, range(_time) as diff by Gebeurtenis
|eval start=strftime(Aanmelden, "%d/%m/%Y")
|eval end=strftime(Afmelden, "%d/%m/%Y")
|eval diff=strftime(diff, "%d/%m/%Y")

the result i get is:

TheMorf_0-1696338314740.png

Diff is calculating the beginning time of splunk and not the 6 days of difference.

Any help is welcom.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2023 06:34 AM

The value of the diff field is in seconds.  The strftime function adds that value to 1 Jan 1970 to come up with a timestamp.  Obviously, that is not the goal.  Expressing diff in days can be done in a couple of ways:

divide seconds by 86400 to get a number of days

| eval days=round(diff/86400,0)

Use the tostring function to convert seconds into d:H:M:S format.

| eval days=tostring(diff, "duration")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...