How to get the date time difference of two differe...

venky10 · ‎10-02-2020

Hi, i am relatively newer to splunk, looking for a solution to get time difference is a splunk sample log like this "attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM" i need to print both ActualUpdateDate -CreatedDate and expectedUpdateDate - CreatedDate in seconds.

Experts , Could you pls help me here?

gcusello · ‎10-02-2020

Hi @venky10,

you have to extract fields using regex and convert dates in epochtime, then you can calculate the difference.

See this example:

| makeresults 
| eval _raw="attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM"
| rex "expectedUpdateDate::(?<expectedUpdateDate>[^,]+),\s+ActualUpdateDate::(?<ActualUpdateDate>[^,]+),\s+CreatedDate::(?<CreatedDate>.*)"
| eval epoch_expectedUpdateDate=strptime(expectedUpdateDate,"%Y-%m-%d %H:%M:%S"),epoch_ActualUpdateDate=strptime(ActualUpdateDate,"%m/%d/%y %H:%M"),epoch_CreatedDate=strptime(CreatedDate,"%m/%d/%y %H:%M")
| eval diff1=epoch_ActualUpdateDate-epoch_CreatedDate, diff2=epoch_expectedUpdateDate-epoch_CreatedDate
| table epoch_expectedUpdateDate expectedUpdateDate epoch_ActualUpdateDate ActualUpdateDate epoch_CreatedDate CreatedDate diff1 diff2

Ciao.

Giuseppe

How to get the date time difference of two different formatted dates

eval

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!