Samples are collected and later manually entered into Splunk. I am interested in the time the sample was tested, not when it was uploaded into Splunk. There is a field called Manual Time with the format in "%H:%M:%S %p".
I wrote a search based on other answers that can work using the _time field but it does not seem to work for the ManualTime field.
The following code results in having a ManualTime and nowstring time listed in the same time format.
index="index" sourcetype="sourcetype"
| stats latest(ManualTime) as ManualTime
| eval timenow=now()
| eval nowstring=strftime(now(), "%H:%M:%S %p")
Once I add the following code it breaks.
| eval diff = tostring((now() - ManualTime), "duration")
| table diff
I also need the result to be in the units of minutes (i.e. 75 minutes not 1:15)
If ManualTime is in string format () then it must be converted to epoch form before you can do any math with it. Try this.
index=index sourcetype=sourcetype
| stats latest(ManualTime) as ManualTime
| eval timenow=now()
| eval nowstring=strftime(now(), "%H:%M:%S %p")
| eval eManualTime=strptime(ManualTime,"%H:%M:%S %p")
| eval diff=round((now()-eManualTime)/60,0)
| table diff
If ManualTime is in string format () then it must be converted to epoch form before you can do any math with it. Try this.
index=index sourcetype=sourcetype
| stats latest(ManualTime) as ManualTime
| eval timenow=now()
| eval nowstring=strftime(now(), "%H:%M:%S %p")
| eval eManualTime=strptime(ManualTime,"%H:%M:%S %p")
| eval diff=round((now()-eManualTime)/60,0)
| table diff