Splunk Search

How to find difference of the time in days and hours respectively between Event time of the data and current time?

akgmail
Explorer

How to find difference of the time in days and hours respectively between Event time of the data and current time?

Format of the Time i.e _time is below
6/18/24
10:17:15.000 AM

I tried utilizing the below query which is giving me current event time and current server time in correctly but I need help in finding the difference.

index=testdata sourcetype=testmydata

| eval currentEventTime=strftime(_time,"%+")
|eval currentTimeintheServer= strftime(now(),"%+")
| eval diff=round(('currentTimeintheServer'-'currentEventTime') / 60)
| eval diff = tostring(diff, "duration")

|table currentEventTime currentTimeintheServer diff index _raw


Please assist.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @akgmail ,

what do you mean with "%+" in straftime?

as @ITWhisperer  said, now() and _time are in epochtime so you can compare them, so please try this (modifying your search):

index=testdata sourcetype=testmydata
| eval 
     diff=tostring(round((now()-_time)/60), "duration"),
     currentEventTime=strftime(_time,"%Y-%m-%d %H:%M:%S"),
     currentTimeintheServer=strftime(now(),"%Y-%m-%d %H:%M:%S")
|table currentEventTime currentTimeintheServer diff index _raw

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akgmail ,

what do you mean with "%+" in straftime?

as @ITWhisperer  said, now() and _time are in epochtime so you can compare them, so please try this (modifying your search):

index=testdata sourcetype=testmydata
| eval 
     diff=tostring(round((now()-_time)/60), "duration"),
     currentEventTime=strftime(_time,"%Y-%m-%d %H:%M:%S"),
     currentTimeintheServer=strftime(now(),"%Y-%m-%d %H:%M:%S")
|table currentEventTime currentTimeintheServer diff index _raw

Ciao.

Giuseppe

0 Karma

akgmail
Explorer

@gcusello  Thanks for your response this helps.

I am getting diff in the string format example 

00:01:12 --> This say 1 hour and 12 mins
30+03:46:11--> This say  30 days and 3 hours 46 mins 

I want to convert this diff to number of hours and compare it with a threshold(is a numeric value like 24)
when I am trying this it is not giving me correct value. I understand this is due to the fact that "diff" is in string format.
Shall I first take the diff in epoch and find the diff and then convert it using strf function?

Please assist me on the same.

trying query

| eval

currentEventTime=strftime(_time,"%Y-%m-%d %H:%M:%S"),
currentTimeintheServer=strftime(now(),"%Y-%m-%d %H:%M:%S"),
test_now=now(), test_time=_time, diff_of_epochtime=(now()-_time),
diff=strftime(diff_of_epochtime,"%Y-%m-%d %H:%M:%S"),
difforg=tostring(round(diff), "duration")
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akgmail ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @akgmail ,

this seems to be a different question even if on a similar topèic.

Anyway, to do calculations between dates, you have always to transforms then in epochtime (when they just aren't in thi s format) and then you have numbers that you can use for all your operations.

If you don't like the format of the duration, you can create your own function to display a duration in the format you like making mathematic operations,

so if you want to have a duration in hours, you have to divide the diff number (that are seconds) for 3600.

| eval diff_in_hours=round(now()-_time)/3600,2)

then you don't need to rename now() and _time.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

_time and now() provide times in epoch format i.e. number of seconds since beginning of 1970. You can calculate the difference between these two numbers e.g. diff = now() - _time. strftime() converts epoch times to strings, you can't find the difference in time by subtracting one string from another, they are the wrong data type for numerical operations!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...