Splunk Search

How can I subtract 2 times together/why won't the search string I'm trying work?

sdorich
Communicator

So I have seen an answer related to this question on Splunk Answers but the answer that was given is not working for me. I have tried the following as my search string and it seems like mktime() is having trouble converting the human readable time I've provided to epoch time.

eventtype=bsm_events | convert mktime(event.time_received_label) as t2 mktime(event.time_created_label) as t1 | eval elapsed = t2-t1 | table t1,t2,elapsed

I've tried mktime() with 2 separate time formats.

  1. 2014-02-18T21:09:24.804-07:00
  2. 02/18/2014 9:09:24 PM

I've also tried using strptime() but had issues with that too.

Thanks in advanced.

0 Karma
1 Solution

somesoni2
Revered Legend

The correct syntax is '| convert timeformat="specify time format present in your field" mktime(yourfield) as fieldalias"'.

View solution in original post

somesoni2
Revered Legend

here you go.

0 Karma

sdorich
Communicator

Thanks - I knew I must have been missing something. That works! You should make your comment as an answer so I can mark this question as answered.

somesoni2
Revered Legend

The correct syntax is '| convert timeformat="specify time format present in your field" mktime(yourfield) as fieldalias"'.

Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...