Splunk Search

How to compare two dates in format DAY-Mon dd:mm:ss ZZZZ YYYY ?

jagdeepgupta813
Explorer

Hello,

I have two dates which I need to compare and report if there is difference of more than 1 hour

currTime = Tue Apr 24 07:52:18 PDT 2018 
currProcTime = Tue Apr 24 06:26:03 PDT 2018

As of now I used regular expressions like below , but is there any easy or efficient way to do this ?

 | rex field=currTime "(?<hr1>\d{2}):.*:.*" | rex field=currProcTime "(?<hr2>\d{2}):.*:.*"| eval latencyByHour=hr1-hr2| where latencyByHour>0
0 Karma

TISKAR
Builder

Can you try this:

| makeresults 
| eval currTime = "Tue Apr 24 07:52:18 PDT 2018", currProcTime = "Tue Apr 24 06:26:03 PDT 2018"
| where (strptime(currTime,"%a %b %d %H:%M:%S PDT %Y")-strptime(currProcTime,"%a %b %d %H:%M:%S PDT %Y"))>3600
0 Karma

woodcock
Esteemed Legend

Like this:

... | eval currTime=strptime(currTime, "%a %b %d %H:%M:%S %Z %Y")
| eval currProcTime=strptime(currProcTime, "%a %b %d %H:%M:%S %Z %Y")
| eval latencySeconds = currTime - currProcTime
| where latencySeconds > 3600
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...