It appears there are some special chars in the data. Try this.
.... | rex mode=sed field=Previous_Time "s/(\W)//g"| eval Previous_Time=strptime(Previous_Time, "%Y%m%dT%H%M%S%6N") | rex mode=sed field=New_Time "s/(\W)//g"| eval New_Time=strptime(New_Time, "%Y%m%dT%H%M%S%6N") | eval diff=New_Time-Previous_Time | eval diff=tostring(diff, "duration") | eval New_Time=strftime(New_Time, "%Y-%m-%dT%H:%M:%S.%6N") | eval Previous_Time=strftime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%6N")
From https://answers.splunk.com/answers/180660/how-to-convert-a-timestamp-field-to-epoch-format.html
First extract the timestamp into a field if it is not already set as the timestamp _time.
Then add the following command where you substitute your field name
... | convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime("yourfieldname")
Its the field values, I get from the event
Previous_Time - 2016-12-01T15:34:37.658562500Z
New_Time - 2016-12-01T15:36:13.345154500Z
I have to find the difference b/w these times
OK, try this to get the difference in raw seconds.
... | convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime("Previous_Time") as previousepoch mktime("New_Time") as newepoch | eval difftime = newepoch - previousepoch
I tried, its not working
What is it outputting? Are the new fields newepoch and previousepoch being generated at all?
extract the field using regex ( if its not the timestamp of the log) and you can try strptime and strftime to strip and form the timestamps
|eval time=strptime(yourfiled,"%H:%M:%S.%N")
note you can use number to limit the milli seconds ( ex %3N gives 3 decimal values)
once done you can calculate the difference and form the time afterwards
| eval calculatedtime=strftime(yourfiled,"%H:%M:%S.%N")