How to compare two dates in format DAY-Mon dd:mm:s...

jagdeepgupta813 · ‎04-24-2018

Hello,

I have two dates which I need to compare and report if there is difference of more than 1 hour

currTime = Tue Apr 24 07:52:18 PDT 2018 
currProcTime = Tue Apr 24 06:26:03 PDT 2018

As of now I used regular expressions like below , but is there any easy or efficient way to do this ?

 | rex field=currTime "(?<hr1>\d{2}):.*:.*" | rex field=currProcTime "(?<hr2>\d{2}):.*:.*"| eval latencyByHour=hr1-hr2| where latencyByHour>0

TISKAR · ‎04-24-2018

Can you try this:

| makeresults 
| eval currTime = "Tue Apr 24 07:52:18 PDT 2018", currProcTime = "Tue Apr 24 06:26:03 PDT 2018"
| where (strptime(currTime,"%a %b %d %H:%M:%S PDT %Y")-strptime(currProcTime,"%a %b %d %H:%M:%S PDT %Y"))>3600

woodcock · ‎04-24-2018

Like this:

... | eval currTime=strptime(currTime, "%a %b %d %H:%M:%S %Z %Y")
| eval currProcTime=strptime(currProcTime, "%a %b %d %H:%M:%S %Z %Y")
| eval latencySeconds = currTime - currProcTime
| where latencySeconds > 3600

How to compare two dates in format DAY-Mon dd:mm:ss ZZZZ YYYY ?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How to compare two dates in format DAY-Mon dd:mm:ss ZZZZ YYYY ?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers