Splunk Search

How to get the date time difference of two different formatted dates

venky10
Loves-to-Learn Everything

Hi, i am relatively newer to splunk, looking for a solution to get time difference is a splunk sample log like this "attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM" i need to print both ActualUpdateDate -CreatedDate and expectedUpdateDate - CreatedDate  in seconds.

 

Experts , Could you pls help me here?

Labels (2)
Tags (1)
0 Karma

gcusello
Legend

Hi @venky10,

you have to extract fields using regex and convert dates in epochtime, then you can calculate the difference.

See this example:

| makeresults 
| eval _raw="attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM"
| rex "expectedUpdateDate::(?<expectedUpdateDate>[^,]+),\s+ActualUpdateDate::(?<ActualUpdateDate>[^,]+),\s+CreatedDate::(?<CreatedDate>.*)"
| eval epoch_expectedUpdateDate=strptime(expectedUpdateDate,"%Y-%m-%d %H:%M:%S"),epoch_ActualUpdateDate=strptime(ActualUpdateDate,"%m/%d/%y %H:%M"),epoch_CreatedDate=strptime(CreatedDate,"%m/%d/%y %H:%M")
| eval diff1=epoch_ActualUpdateDate-epoch_CreatedDate, diff2=epoch_expectedUpdateDate-epoch_CreatedDate
| table epoch_expectedUpdateDate expectedUpdateDate epoch_ActualUpdateDate ActualUpdateDate epoch_CreatedDate CreatedDate diff1 diff2

Ciao.

Giuseppe

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...