Solved: How to calculate time difference using ctime?

neerajs_81 · ‎01-30-2023

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format. But when i use ctime to display the difference, it shows weird results.
As shown below my events contains 2 fields ( tt0 & tt1). Their values are timestamp in EPOCH.
If we manually convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.

tto	tt1
1675061542	1675061732

But when i do a

| eval ttc=tt1-tt0 
| convert  ctime(ttc)

Splunk displays ttc as follows: 12/31/1969 18:56:49.2304990

What am i doing wrong here? How to make it display ttc correctly ?

ITWhisperer · ‎01-30-2023

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

View solution in original post

ITWhisperer · ‎01-30-2023

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

neerajs_81 · ‎01-30-2023

@ITWhisperer i have seen in lot of your posts you recommending ctime instead of strftime/strptime. Is there a reason that you prefer ctime ?
Thanks

ITWhisperer · ‎01-30-2023

That surprises me as I thought I preferred strftime()!

batabay · ‎01-30-2023

Hi,

You thinking wrong because you calculate difference field.

Try This ;

| makeresults 
| eval tt0=relative_time(now(),"-10m@m"), tt1=now() 
| eval diff = tt1 - tt0 
| eval diff = tostring(diff,"duration")

neerajs_81 · ‎01-30-2023

Didn't understand what you meant by thinking wrong you calculate difference field ? R you saying i need to use eval twice for the difference field ?

How to calculate time difference using ctime?

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!