Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate time difference?

EvansB
Path Finder
‎09-07-2022 08:12 AM

I'm looking to get a difference between both times and create a 3rd field for the results (Properties.actionedDate - _time). My current query is like this

 

index=* source=* | table Properties.actionedDate, _time

 


Here is a screenshot of my current result

EvansB_0-1662563212282.png

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2022 08:24 AM

I probably should make this a macro since I give this answer a lot.  Timestamps must be in epoch (integer) format to be compared or to find their difference.  Use the strptime function for that.

 

 

index=* source=* 
| rename Properties.actionedDate as actionedDate
| eval actionedTS = strptime(, "%Y-%m-%dT%H:%M:%S.%7N%:z")
| eval diff = _time - actionedTS
| table actionedDate, _time, diff

 

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2022 08:24 AM

I probably should make this a macro since I give this answer a lot.  Timestamps must be in epoch (integer) format to be compared or to find their difference.  Use the strptime function for that.

 

 

index=* source=* 
| rename Properties.actionedDate as actionedDate
| eval actionedTS = strptime(, "%Y-%m-%dT%H:%M:%S.%7N%:z")
| eval diff = _time - actionedTS
| table actionedDate, _time, diff

 

 

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

EvansB
Path Finder
‎09-07-2022 08:45 AM

Thanks for your response.
This should work but I'm not getting results on the diff field - (I sorted with this field)
Does that mean there are no difference between timestamps and _time?

EvansB_0-1662565524803.png

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2022 09:24 AM

I noticed a typo in the strptime format string in my reply, which I've corrected.  I also added a rename command in case eval doesn't like the original field name.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

EvansB
Path Finder
‎09-07-2022 09:45 AM

did you edit your first comment.... I'm getting same results 
can you post the corrected query? 
Appreciate.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-07-2022 11:03 AM

I don't know what happened to my original edit, but I've re-posted it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

EvansB
Path Finder
‎09-07-2022 12:54 PM

I eventually used this

index=* source=*
| rename Properties.actionedDate as actionedDate
| eval actionedTS = strptime(actionedDate, "%Y-%m-%dT%H:%M:%S.%7N%:z")
| eval diff = _time - actionedTS 
| table actionedDate, _time, diff

Appreciate you @richgalloway 

Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...