Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to calculate the difference between two timestamps in the same event?

pkurt
Path Finder
‎10-14-2016 04:28 PM

Hello,

I am trying to determine the time difference between the two timeStamp columns in my events.
I tried to use the search below, but cannot return anything for the "diff" at the end... 

 ... my base search ... | eval raw_time=strptime(_time,'%Y-%m-%dT%H:%M:%S')  | eval utc_endtime=strptime(UTC_EndTime,'%Y-%m-%dT%H:%M:%S') | eval diff= raw_time-utc_endtime

My example events are like this:

2016-10-15T03:59:59.999999, UTC_EndTime=2016-10-14T19:59:59.999999,
2016-10-15T02:59:59.999999, UTC_EndTime=2016-10-14T18:59:59.999999,
2016-10-15T01:59:59.999999, UTC_EndTime=2016-10-14T17:59:59.999999,

I would appreciate if you can help me to see the mistake I am doing here.

Many thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 08:35 PM

The _time is already in epoch time (just shows as human readable form in search result/table), so no need to convert it. Updated the timeformat as well for UTC_EndTime.

  ... my base search ...   | eval utc_endtime=strptime(UTC_EndTime,"%Y-%m-%dT%H:%M:%S.%N") | eval diff= _time-utc_endtime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2016 08:35 PM

The _time is already in epoch time (just shows as human readable form in search result/table), so no need to convert it. Updated the timeformat as well for UTC_EndTime.

  ... my base search ...   | eval utc_endtime=strptime(UTC_EndTime,"%Y-%m-%dT%H:%M:%S.%N") | eval diff= _time-utc_endtime
0 Karma
Reply
Solved! Jump to solution

pkurt
Path Finder
‎10-16-2016 07:16 AM

it worked, thank you very much!

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-14-2016 06:48 PM

Use convert. 

  ... my base search ... | Convert mktime(_time) as raw_time timestamp="%Y-%m-%dT%H:%M:%S" | Convert mktime(UTC_EndTime) as utc_endtime "%Y-%m-%dT%H:%M:%S"| eval diff= raw_time-utc_endtime
0 Karma
Reply
Solved! Jump to solution

pkurt
Path Finder
‎10-18-2016 10:58 AM

I could not make this work. Thank you very much though!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-14-2016 05:16 PM

Change single quotes ' to double quotes "

| eval raw_time=strptime(_time,"%Y-%m-%dT%H:%M:%S")  | eval utc_endtime=strptime(UTC_EndTime,"%Y-%m-%dT%H:%M:%S") | eval diff= raw_time-utc_endtime
0 Karma
Reply
Solved! Jump to solution

pkurt
Path Finder
‎10-18-2016 10:51 AM

Thank you very much. Double quotes are not the issue. It works only if I add ".%N" to my time string since the actual timeStamp has ".999999" component.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...