Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subtract two timestamps in one event

jscottmiller
New Member
‎08-24-2010 10:55 PM

Hopefully this is a simple question, but I haven't found a way to do so using either the convert or eval commands. Basically, I have two timestamps in my events, a start time and an end time. I want to compute a duration (preferably in seconds) by subtracting the two. Is there a simple way to do this?

Tags (1)
0 Karma
Reply

JohnB
Explorer
‎08-26-2010 01:56 PM

Add something like this:

| eval TotalTime = strptime(end_time, "%Y-%m-%dT%H:%M:%S%z") - strptime(start_time, "%Y-%m-%dT%H:%M:%S%z")

(Assuming your date format is in that type of time stamp).

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-24-2010 11:14 PM

You can use either convert mktime() or the eval strptime() functions to convert both timestamps to epoch time, then just subtract one from the other.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...