Splunk Search
Highlighted

## How to find the time difference in days between the _time of an event and the current time?

SplunkTrust

Hi All,

I might be over thinking this one, but since I've already used time--> ...| stats earliest(time) as firstseen, latest(time) as lastseen, ... |, is it possible find the "currenttime"?

What I want to do is do something like ..| eval dayssince=(currenttime-last_seen)

Is this possible?

Thanks!

Tags (3)
1 Solution
Highlighted

## Re: How to find the time difference in days between the _time of an event and the current time?

Community Manager

Hi @KolGr001

Are you looking for something like this?

...| eval dayssince=(now()-lastseen)

Highlighted

## Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust

There are two `eval` functions for this, `now()` and `time()`. The major distinction is that `now()` will be stable over a long-running search while `time()` will yield a potentially new timestamp for every event/row/invocation... usually you'll want `now()` like this:

``````... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")
``````

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

Highlighted

## Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust

This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:

http://screencast.com/t/9yVnvtpl

I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:

| eval dayssincelasttxn=case(dayssincelasttxn=0,"Today",dayssincelasttxn=1,"1 Day",dayssincelasttxn>1, dayssincelast_txn."[".Days."]")

This didn't work for me, but do you have any insight on rounding by number of days?

Thank you!

Highlighted

## Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust

So... this?

``````... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")
``````
Highlighted

SplunkTrust

Thank you!

Highlighted

## Re: How to find the time difference in days between the _time of an event and the current time?

Legend

Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime

| eval message="Happy Splunking!!!"