Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculating difference between time of 2 events

TheMorf
New Member
‎10-03-2023 06:07 AM

I am trying to extract the difference of time(duration) of 2 events in days.

I have 2 saperate event for the same ID. One is the starting event and the second is the ending event. Looking as follows.

event1 start:

[2023-05-24 12:02:24.674 CEST_] ID:1234

Event 2 end:

[2023-05-30 6:13:04:954 CEST_] ID:1234

De following query i tried:

Gebeurtenis(=id) =000057927_018448922
|stats min(_time) as start, max(_time) as end, range(_time) as diff by Gebeurtenis
|eval start=strftime(Aanmelden, "%d/%m/%Y")
|eval end=strftime(Afmelden, "%d/%m/%Y")
|eval diff=strftime(diff, "%d/%m/%Y")

the result i get is:

TheMorf_0-1696338314740.png

Diff is calculating the beginning time of splunk and not the 6 days of difference.

Any help is welcom.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2023 06:34 AM

The value of the diff field is in seconds.  The strftime function adds that value to 1 Jan 1970 to come up with a timestamp.  Obviously, that is not the goal.  Expressing diff in days can be done in a couple of ways:

divide seconds by 86400 to get a number of days

| eval days=round(diff/86400,0)

Use the tostring function to convert seconds into d:H:M:S format.

| eval days=tostring(diff, "duration")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...