Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the time difference of two timestamp in minutes?

mikeyty07
Communicator
‎07-20-2023 09:41 AM

I 've  two fields one is _time and another one is received_time.  I want to get the time differences between these two timestamp.  

Logs look like 
2023-07-11 11:19:24.964 ..... received_time= 1688574223791

I converted the epoch to human readable but i couldnt get the time differences  between these two timestamp.

my search:

<query> | rex "received_time\"\:(?<recTime>[^\,]+)" | eval recTime = strftime(recTime/1000, "%Y-%m-%d %H:%M:%S.%3N")
| eval diff = recTime - _time 
| table recTime _time  diff

but it doesnt show any data on diff. Am I missing something?

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2023 10:52 PM

Hi @mikeyty07,

yes, it's possible, please try this:

<your_search> 
| rex "received_time\"\:(?<recTime>[^\,]+)" 
| eval diff = recTime - _time 
| eval recTime = strftime(recTime/1000, "%Y-%m-%d %H:%M:%S.%3N")
| eval diff=tostring(diff,"duration")
| table recTime _time  diff

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2023 10:07 AM

If you extract your recTime as a string from the raw event you have to either parse it into a numerical timestamp with strptime() or at least (if it's already in epoch) cast it to integer by using tonumber().

EDIT: OK. I just noticed that in your raw data timestamp is already numerical. So you need to do

| eval diff = tonum(recTime)/1000 - _time

Also - when you're manipulating time, it's often more convenient to use fieldformat instead of eval to produce human-readable time strings. But if you insist on rendering timestamp to string with eval, do it after you calculate the diff part.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2023 09:45 AM

Hi @mikeyty07 

you can calculate diff before tranforming timestamps from epoch to human readable.

<your_search> 
| rex "received_time\"\:(?<recTime>[^\,]+)" 
| eval diff = recTime - _time 
| eval recTime = strftime(recTime/1000, "%Y-%m-%d %H:%M:%S.%3N")
| table recTime _time  diff

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

mikeyty07
Communicator
‎07-20-2023 12:35 PM
_timerecTimediff
2023-07-11 11:12:44.8882023-07-11 11:15:55.9990 00:03:11.111


the diff is coming in numerical can it be done like this table? 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-21-2023 04:25 AM

Sure. Since _time is being internally stored as a number of seconds, all arithmetics involving this number will yield number of seconds. There are several functions allowing you to convert it to more human-friendly format.

Of course you could calculate it manually, but you can use - as @gcusello already showed - the convert() function. I would however use fieldformat instead of eval to keep the value internally as a number (which makes it easier to do subsequent manipulations if you need it or sorting).

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2023 10:52 PM

Hi @mikeyty07,

yes, it's possible, please try this:

<your_search> 
| rex "received_time\"\:(?<recTime>[^\,]+)" 
| eval diff = recTime - _time 
| eval recTime = strftime(recTime/1000, "%Y-%m-%d %H:%M:%S.%3N")
| eval diff=tostring(diff,"duration")
| table recTime _time  diff

Ciao.

Giuseppe

Reply
Solved! Jump to solution

mikeyty07
Communicator
‎07-28-2023 09:16 AM

this gave me the idea to change time to numeric and from there strftime and do calculate the time diff

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2023 10:05 PM

Hi @mikeyty07 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...