Splunk Search

How to calculate time difference using ctime?

neerajs_81
Builder

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format.   But when i use ctime to display the difference, it shows weird results. 
As shown below my events contains 2 fields ( tt0 & tt1). Their values are  timestamp in EPOCH.
If we manually  convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.  

tto tt1
1675061542  1675061732


But when i do a 

 

 

| eval ttc=tt1-tt0 
| convert  ctime(ttc)

 

 


Splunk displays ttc as follows:   12/31/1969 18:56:49.2304990 

What am i doing wrong here?  How to make it display ttc correctly ?

Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

neerajs_81
Builder

@ITWhisperer  i have seen in lot of your posts you recommending ctime instead of strftime/strptime. Is there a reason that you prefer ctime ?
Thanks

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That surprises me as I thought I preferred strftime()!

0 Karma

batabay
Path Finder

Hi,

You thinking wrong because you calculate difference field. 

Try This ; 

 

| makeresults 
| eval tt0=relative_time(now(),"-10m@m"), tt1=now() 
| eval diff = tt1 - tt0 
| eval diff = tostring(diff,"duration")

neerajs_81
Builder

Didn't understand what you meant by thinking wrong you calculate difference field ?  R you saying i need to use eval twice for the difference field ?

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...