Splunk Search

How to get the date time difference of two different formatted dates

Loves-to-Learn Everything

Hi, i am relatively newer to splunk, looking for a solution to get time difference is a splunk sample log like this "attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM" i need to print both ActualUpdateDate -CreatedDate and expectedUpdateDate - CreatedDate  in seconds.

 

Experts , Could you pls help me here?

Labels (2)
Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Hi @venky10,

you have to extract fields using regex and convert dates in epochtime, then you can calculate the difference.

See this example:

| makeresults 
| eval _raw="attribute1::d1 a2::d2, expectedUpdateDate::2020-09-30 23:30:00, ActualUpdateDate::10/1/20 5:44 PM, CreatedDate::9/30/20 10:14 AM"
| rex "expectedUpdateDate::(?<expectedUpdateDate>[^,]+),\s+ActualUpdateDate::(?<ActualUpdateDate>[^,]+),\s+CreatedDate::(?<CreatedDate>.*)"
| eval epoch_expectedUpdateDate=strptime(expectedUpdateDate,"%Y-%m-%d %H:%M:%S"),epoch_ActualUpdateDate=strptime(ActualUpdateDate,"%m/%d/%y %H:%M"),epoch_CreatedDate=strptime(CreatedDate,"%m/%d/%y %H:%M")
| eval diff1=epoch_ActualUpdateDate-epoch_CreatedDate, diff2=epoch_expectedUpdateDate-epoch_CreatedDate
| table epoch_expectedUpdateDate expectedUpdateDate epoch_ActualUpdateDate ActualUpdateDate epoch_CreatedDate CreatedDate diff1 diff2

Ciao.

Giuseppe

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!