I am trying to calculate difference in my two custom date time/fields and get output results in milliseconds.
I tried the following query, but it didn't yield the expected result.
SourceTimestamp format:2019-01-23 11:37:39:584
ProcessTimestamp Format:2019-01-23 11:37:39:756
Actual Result with below query: 00:00:00.000000
Expected Result: 172 ms
search..| eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S.%Q") | eval endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S.%Q") | eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff
I tried the values above in my search and it gives me 172 ms. Please see below the expression for startTime and endTime, it is : instead of . before milliseconds
search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff
I tried the values above in my search and it gives me 172 ms. Please see below the expression for startTime and endTime, it is : instead of . before milliseconds
search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff
Thanks i missed that . before milliseconds.
How do i get my final result from 00:00:00.172000 as 172 ms?
Use this
search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=endTime-startTime | eval TimeDiff= round(TimeDiff * 1000, 0) | eval TimeDiff= TimeDiff." "."ms"|table SourceTimestamp ProcessTimestamp TimeDiff
It worked Thanks for the quick turnaround