Splunk Search

How do you calculate the difference between two date/time fields and get results in milliseconds?

reddyavi256
Explorer

I am trying to calculate difference in my two custom date time/fields and get output results in milliseconds.

I tried the following query, but it didn't yield the expected result.

SourceTimestamp format:2019-01-23 11:37:39:584
ProcessTimestamp Format:2019-01-23 11:37:39:756

Actual Result with below query: 00:00:00.000000
Expected Result: 172 ms

search..| eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S.%Q") | eval endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S.%Q") | eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff
0 Karma
1 Solution

Vijeta
Influencer

I tried the values above in my search and it gives me 172 ms. Please see below the expression for startTime and endTime, it is : instead of . before milliseconds

search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff

View solution in original post

Vijeta
Influencer

I tried the values above in my search and it gives me 172 ms. Please see below the expression for startTime and endTime, it is : instead of . before milliseconds

search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=tostring((endTime-startTime),"duration") | table SourceTimestamp ProcessTimestamp TimeDiff

reddyavi256
Explorer

Thanks i missed that . before milliseconds.
How do i get my final result from 00:00:00.172000 as 172 ms?

0 Karma

Vijeta
Influencer

Use this

search..|eval startTime=strptime(SourceTimestamp,"%Y-%m-%d %H:%M:%S:%3N") | endTime=strptime(ProcessTimestamp,"%Y-%m-%d %H:%M:%S:%3N")|eval TimeDiff=endTime-startTime | eval TimeDiff= round(TimeDiff * 1000, 0) | eval TimeDiff= TimeDiff." "."ms"|table SourceTimestamp ProcessTimestamp TimeDiff
0 Karma

reddyavi256
Explorer

It worked Thanks for the quick turnaround

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...