Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to subtract the date in my search?

abhi04
Communicator
‎06-04-2018 09:01 AM

How to subtract the below date?

End Time is 2018-06-04-10.45.09
Start Time is 2018-06-04-10.45.00

End Time - Start Time

0 Karma
Reply

adonio
Ultra Champion
‎06-04-2018 09:38 AM

adding to the comments and nice answer above by @jconger,
below is a sample search to run anywhere. i added a field some_id that you can group your query by. for example if there is a transaction id or something of that sort. th efirst 6 lines are generating data, the rest is the solution

| makeresults count =1 
| eval field = "some_id"
| eval data = "End_Time=2018-06-04-10.45.09,Start_Time=2018-06-04-10.45.00"
| makemv delim="," data
| mvexpand data
| rex field=data "(?<time_field>\S+)\=(?<time_value>\S+)"
| eval time_in_epoch = strptime(time_value, "%Y-%m-%d-%H.%M.%S")
| eval end_time_epoch = if(time_field="End_Time",time_in_epoch,null())
| eval start_time_epoch = if(time_field="Start_Time",time_in_epoch,null())
| stats values(*_time_epoch) as *_time_epoch by field
| eval diff_in_sec = round(end_time_epoch - start_time_epoch, 0)
| eval diff_human=tostring(diff_in_sec, "duration")

see screenshot below:

alt text

hope it helps

Preview file
104 KB
0 Karma
Reply

jconger
Splunk Employee
Splunk Employee
‎06-04-2018 09:22 AM

What do you want as the difference? If it is just a number of seconds between the two, the following will work:

| makeresults | eval End_Time="2018-06-04-10.45.09" | eval Start_Time="2018-06-04-10.45.00" | convert timeformat="%Y-%m-%d-%H.%M.%S" mktime(End_Time) AS EndTime  mktime(Start_Time) AS StartTime | eval diff = EndTime - StartTime
0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎06-04-2018 09:20 AM

You could convert to epoch and subtract. Try something like: | eval epoch1=strptime(endTime,"%Y-%m-%d-%H.%M.%S") | eval epoch2=strptime(startTime,"%Y-%m-%d-%H.%M.%S") | eval timediff=epoch1-epoch2

This gives you the difference in seconds. You can convert as needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...