Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract a static number (e.g.. minutes, hours, seconds) from a timestamp?

jclemons7
Path Finder
‎12-10-2015 09:57 AM

Hello,

I have a timestamp formatted as 2015-10-14T10:04:47.962Z and I'd like to add or subtract a fixed number of minutes from it. I've tried things similar to timestamp-5m and stuff that I'm too embarrassed to put here, to no avail. Your help is GREATLY appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2015 10:15 AM

There are two ways to do that (perhaps others will have more), but both require the timestamp be converted to epoch time first.

... | eval ts=strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval newts=ts-300 | ...

... | eval ts=strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval newts=relative_time(ts, -5m) | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-10-2015 10:15 AM

There are two ways to do that (perhaps others will have more), but both require the timestamp be converted to epoch time first.

... | eval ts=strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval newts=ts-300 | ...

... | eval ts=strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval newts=relative_time(ts, -5m) | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gabrell
New Member
‎12-14-2015 09:38 AM

Hi, how can I convert this format of Time?

start time: 2015-12-13T23:55:02+00:00
end time : 2015-12-15T23:55:02+00:00

And then I need to get the time taken from start to end TMA = (Start time - End Time) | table TMA

Can you help me out?

Thanks.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2015 09:58 AM

Please post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jclemons7
Path Finder
‎12-10-2015 10:58 AM

Your answer worked, but it dawned on me that I already had the value in epoch.. so I just did this

| eval ts=(_time - (5 * 60))  | .....
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...