Splunk Search

Difficulty to get the time difference between two event time

samarkumar
Path Finder

I am using the below query
search|eval 3CMStartTime = _time|table Corr 3CMStartTime|join Corr [search XXXXX|eval 3CMEndTime = _time]|table Corr 3CMStartTime 3CMEndTime|Join Corr [search XXX deliveryTime*]|fields Corr 3CMStartTime 3CMEndTime DeliveryDateTime|table Corr
3CMStartTime 3CMEndTime DeliveryDateTime|

Data is coming as follow:
Corr 3CMStartTime 3CMEndTime DeliveryDateTime
XX1 1472157011 1472157012 2016-08-25T13:30:36.823
XX2 1472156537 1472156541 2016-08-25T13:23:38.59
XX3 1472156494 1472156494 2016-08-25T13:23:32.39

I need time difference in seconds for below:

Eval diffr1=3CMEndTime - 3CMStartTime

eval diffr2=DeliveryDateTime-3CMEndTime

i was trying

eval TimeDifference = strftime((EpochTime(3CMEndTime) - EpochTime(3CMStartTime )) , "%H:%M:%S")

but getting below error "Error in 'eval' command: The expression is malformed. Expected ). "

Your help will be greatly appreciated.

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Your time already appears to be in epoch format, so there is no need to convert it. Also, time difference is in seconds, so strftime is not the right function to format it. Try this

.... | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") | ...

View solution in original post

0 Karma

sundareshr
Legend

Your time already appears to be in epoch format, so there is no need to convert it. Also, time difference is in seconds, so strftime is not the right function to format it. Try this

.... | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") | ...
0 Karma

samarkumar
Path Finder

Getting below Error when i use | eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration") |
Not sure what i am missing in eval statement
Error in 'eval' command: The expression is malformed. Expected ).

Query is as below:

search|eval 3CMStartTime = _time|table Corr 3CMStartTime|join Corr [search XXXXX|eval 3CMEndTime = _time]|table Corr 3CMStartTime 3CMEndTime|Join Corr [search XXX deliveryTime*]|fields Corr 3CMStartTime 3CMEndTime DeliveryDateTime|table Corr
3CMStartTime 3CMEndTime DeliveryDateTime|eval TimeDifference = tostring(3CMEndTime-3CMStartTime, "duration"))

0 Karma

samarkumar
Path Finder

I discussed with Sundareshr, and found that the below one is working as expected.
..| eval TimeDifference = tostring('3CMEndTime'-'3CMStartTime', "duration") |

0 Karma

sundareshr
Legend

Try putting your field names within single quotes. Eval statement does not like it when field names start with a number or has special characters in it. So you eval should look like this

... | eval TimeDifference = tostring('3CMEndTime'-'3CMStartTime', "duration"))
0 Karma
Get Updates on the Splunk Community!

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...