Splunk Search

## How to find the time difference in hours between the _time of two different fields ?

Builder

I'm going crazy of calculating the difference between two fields which has epoch time. The following is my Query

Updated :-

foo | convert ctime(time) as DateandTime|convert timeformat="%m/%d/%Y %H:%M:%S" mktime(time) as time |eventstats range(time) as duration by user| stats avg(duration) as avgDurationPeruser by user| eval Totaltimespent(outofschool)=tostring(ceil(avgDurationPeruser), "duration") | table user TotalAccessTime Totaltimespent(outof_school)

Tags (4)
1 Solution
Legend

Hi pavanae,
sorry but I don't understand your question: the eval command correctly runs and gives the number of days between now() and the event's _time.
In addition I don't understand the last "if" of your search, because it's incomplete.

Bye.
Giuseppe

Legend

Hi pavanae,
sorry but I don't understand your question: the eval command correctly runs and gives the number of days between now() and the event's _time.
In addition I don't understand the last "if" of your search, because it's incomplete.

Bye.
Giuseppe

Builder

Sorry for posting the wrong Query. please find the updated Query. @cusello

Legend

Which are the fields to calculate difference?
every way, you have to transform both the fields in epochtime

``````| eval time1=strptime(time1,"%Y-%m-%d %H:%M:%S"), time2=strptime(time2,"%Y-%m-%d %H:%M:%S") | eval diff=time1-time2
``````

speculating that time format is %Y-%m-%d %H:%M:%S

Bye.
Giuseppe

Builder

Thanks @cusello. What if i have something as below

| convert ctime(a) timeformat="%H:%M" | convert ctime(stdev) timeformat="%H:%M" | convert ctime(y) timeformat="%H:%M"

How can i have the difference of y and a interms of %H:%M?

Legend

You can use

``````| eval y=tostring(y,"duration")
``````

Bye.
Giuseppe

Contributor  