Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract two time fields?

cotyp
Path Finder
‎02-14-2018 09:34 AM

How would I go about subtracting EndTime from BeginTime?

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-14-2018 09:42 AM

Try this run anywhere search:

|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")|eval days=round((EndTime-BeginTime)/86400)

View solution in original post

Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-14-2018 09:45 AM

hello there,
try this:

... your search ...
|eval end_time_epoch = strptime(EndTime, "%m/%d/%Y %H:%M:%S")
|eval begin_time_epoch = strptime(BeginTime, "%m/%d/%Y %H:%M:%S")
| eval duration = end_time_epoch - begin_time_epoch

hope it helps

Reply
Solved! Jump to solution

cotyp
Path Finder
‎02-14-2018 12:39 PM

How would I make the epoch time human readable? Results to display in a manner such as, 8d 15 hrs 20 minutes?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-14-2018 01:20 PM

try this at the end of your query:

  | eval "duration_Days+HHMMSS" = tostring(duration, "duration")
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-14-2018 09:42 AM

Try this run anywhere search:

|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")|eval days=round((EndTime-BeginTime)/86400)
Reply
Solved! Jump to solution

cotyp
Path Finder
‎02-14-2018 12:38 PM

how would you go about getting results in minutes?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-14-2018 07:02 PM

to get results in min divide the difference(in sec.) by 60

...|eval minutes=round((EndTime-BeginTime)/60)
0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-14-2018 07:30 PM

if you want duration in day hr and min then try this run anywhere search:

|makeresults|eval EndTime="2/14/2018 9:28:19", BeginTime="2/6/2018 14:53:45"|eval EndTime=strptime(EndTime,"%m/%d/%Y %H:%M:%S"), BeginTime=strptime(BeginTime,"%m/%d/%Y %H:%M:%S")| eval stringSecs = tostring((EndTime-BeginTime), "duration")| eval stringSecss = replace(stringSecs,"(\d+)\+(\d+)\:(\d+)\:.*","\1d \2h \3min ")
Reply
Solved! Jump to solution

cotyp
Path Finder
‎02-15-2018 06:13 AM

thank you!

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-15-2018 06:16 AM

Glad to help you:) Please accept the answer as well.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...