@gcusello  Thanks for your response this helps.

I am getting diff in the string format example 

00:01:12 --> This say 1 hour and 12 mins
30+03:46:11--> This say  30 days and 3 hours 46 mins 

I want to convert this diff to number of hours and compare it with a threshold(is a numeric value like 24)
when I am trying this it is not giving me correct value. I understand this is due to the fact that "diff" is in string format.
Shall I first take the diff in epoch and find the diff and then convert it using strf function?

Please assist me on the same.

trying query

| eval

currentEventTime=strftime(_time,"%Y-%m-%d %H:%M:%S"),
currentTimeintheServer=strftime(now(),"%Y-%m-%d %H:%M:%S"),
test_now=now(), test_time=_time, diff_of_epochtime=(now()-_time),
diff=strftime(diff_of_epochtime,"%Y-%m-%d %H:%M:%S"),
difforg=tostring(round(diff), "duration")

Hi @akgmail ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Hi @akgmail ,

this seems to be a different question even if on a similar topèic.

Anyway, to do calculations between dates, you have always to transforms then in epochtime (when they just aren't in thi s format) and then you have numbers that you can use for all your operations.

If you don't like the format of the duration, you can create your own function to display a duration in the format you like making mathematic operations,

so if you want to have a duration in hours, you have to divide the diff number (that are seconds) for 3600.

| eval diff_in_hours=round(now()-_time)/3600,2)

then you don't need to rename now() and _time.

Ciao.

Giuseppe