Solved: Find the diff between two times

luckyman80 · ‎01-06-2021

Hi I am really struggling to find the difference between the 51= time and the 59= time below and add to a separate column

My log extract example is

2021-01-06 12:37:57.411 [FIDO1] INFO LogAuditor - [FIDO2] Outgoing [12294][0] : 8=FIX.4.49=54135=D49=FIDO156=FIDO2_192_168_0_134=1599251=20210106-17:37:57.41011=1609686062170-FIDO15140WTZ00087815=USD21=138=100000040=244=19.632154=255=PECEOF59=359=20210106-17:37:57.409

Thanks in advance experts

richgalloway · ‎01-07-2021

Sorry about that. There were some typos in my answer. I've fixed them.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

luckyman80 · ‎01-07-2021

i actually noticed there is an issue with the strp time as there is no results given when i table the diff and epoch51/epoch59 items

richgalloway · ‎01-07-2021

Sorry about that. There were some typos in my answer. I've fixed them.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-06-2021

First, we need to extract the fields. Then we convert the timestamps into epoch form. Finally, we can compute the difference.

<your search>
| rex "51=(?<ts51>\d{8}-\d\d:\d\d:\d\d\.\d{3})"
| rex "59=(?<ts59>\d{8}-\d\d:\d\d:\d\d\.\d{3})"
| eval epoch51=strptime(ts51,"%Y%m%d-%H:%M:%S.%3N"), epoch59=strptime(ts59,"%Y%m%d-%H:%M:%S.%3N")
| eval diff=epoch59 - epoch51

---
If this reply helps you, Karma would be appreciated.

luckyman80 · ‎01-07-2021

hi thanks for this. I still am unable to see the def in a separate column. Whats the best way of displaying the results for the diff ? in a table ?

Find the diff between two times

regex

table

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting