Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference using ctime?

neerajs_81
Builder
‎01-30-2023 12:27 AM

Hi All, I have a very simple use case and that is to display the time difference between 2 fields that already have their values as time in epoch format.   But when i use ctime to display the difference, it shows weird results. 
As shown below my events contains 2 fields ( tt0 & tt1). Their values are  timestamp in EPOCH.
If we manually  convert these to Human Readable Time , the difference between the tt0 and tt1 is just 03 mins and xx seconds.  

tto tt1
1675061542  1675061732


But when i do a 

 

 

| eval ttc=tt1-tt0 
| convert  ctime(ttc)

 

 


Splunk displays ttc as follows:   12/31/1969 18:56:49.2304990 

What am i doing wrong here?  How to make it display ttc correctly ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 12:39 AM

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 12:39 AM

Try using tostring() with "duration"

| eval ttc=tt1-tt0 
| fieldformat ttc=tostring(ttc,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎01-30-2023 01:47 AM

@ITWhisperer  i have seen in lot of your posts you recommending ctime instead of strftime/strptime. Is there a reason that you prefer ctime ?
Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-30-2023 01:55 AM

That surprises me as I thought I preferred strftime()!

0 Karma
Reply
Solved! Jump to solution

batabay
Path Finder
‎01-30-2023 12:39 AM

Hi,

You thinking wrong because you calculate difference field. 

Try This ; 

 

| makeresults 
| eval tt0=relative_time(now(),"-10m@m"), tt1=now() 
| eval diff = tt1 - tt0 
| eval diff = tostring(diff,"duration")
Reply
Solved! Jump to solution

neerajs_81
Builder
‎01-30-2023 12:46 AM

Didn't understand what you meant by thinking wrong you calculate difference field ?  R you saying i need to use eval twice for the difference field ?

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...