Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to calculate time difference using ctime?

neerajs_81
Builder
‎01-30-2023 12:27 AM

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format.   But when i use ctime to display the difference, it shows weird results. 
As shown below my events contains 2 fields ( tt0 & tt1). Their values are  timestamp in EPOCH.
If we manually  convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.  

tto tt1
1675061542  1675061732


But when i do a 

 

 

| eval ttc=tt1-tt0 
| convert  ctime(ttc)

 

 


Splunk displays ttc as follows:   12/31/1969 18:56:49.2304990 

What am i doing wrong here?  How to make it display ttc correctly ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 12:39 AM

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 12:39 AM

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎01-30-2023 01:47 AM

@ITWhisperer  i have seen in lot of your posts you recommending ctime instead of strftime/strptime. Is there a reason that you prefer ctime ?
Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 01:55 AM

That surprises me as I thought I preferred strftime()!

0 Karma
Reply
Solved! Jump to solution

batabay
Path Finder
‎01-30-2023 12:39 AM

Hi,

You thinking wrong because you calculate difference field. 

Try This ; 

 

| makeresults 
| eval tt0=relative_time(now(),"-10m@m"), tt1=now() 
| eval diff = tt1 - tt0 
| eval diff = tostring(diff,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎01-30-2023 12:46 AM

Didn't understand what you meant by thinking wrong you calculate difference field ?  R you saying i need to use eval twice for the difference field ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...