Splunk Search

How to compare two dates in format DAY-Mon dd:mm:ss ZZZZ YYYY ?



I have two dates which I need to compare and report if there is difference of more than 1 hour

currTime = Tue Apr 24 07:52:18 PDT 2018 
currProcTime = Tue Apr 24 06:26:03 PDT 2018

As of now I used regular expressions like below , but is there any easy or efficient way to do this ?

 | rex field=currTime "(?<hr1>\d{2}):.*:.*" | rex field=currProcTime "(?<hr2>\d{2}):.*:.*"| eval latencyByHour=hr1-hr2| where latencyByHour>0
0 Karma


Can you try this:

| makeresults 
| eval currTime = "Tue Apr 24 07:52:18 PDT 2018", currProcTime = "Tue Apr 24 06:26:03 PDT 2018"
| where (strptime(currTime,"%a %b %d %H:%M:%S PDT %Y")-strptime(currProcTime,"%a %b %d %H:%M:%S PDT %Y"))>3600
0 Karma

Esteemed Legend

Like this:

... | eval currTime=strptime(currTime, "%a %b %d %H:%M:%S %Z %Y")
| eval currProcTime=strptime(currProcTime, "%a %b %d %H:%M:%S %Z %Y")
| eval latencySeconds = currTime - currProcTime
| where latencySeconds > 3600
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!