Hello Splunk Community,
Can anyone help me build a query based on the below;
I want to convert a field (Fri Oct 8 23:15:05 AEDT 2021) into time format & then calculate the duration by subtracting the end time by the start time.
Appreciate your help 🙂
You can achieve this by using strptime function and tostring function.
Can you please try this?
YOUR_SEARCH
|eval start_epoch=strptime(start_time,"%a %b %d %H:%M:%S %Z %Y"),end_epoch=strptime(end_time,"%a %b %d %H:%M:%S %Z %Y"), diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
My Sample Search :
| makeresults
| eval start_time="Fri Oct 8 23:15:05 AEDT 2021",end_time="Fri Oct 8 23:20:05 AEDT 2021"
|eval start_epoch=strptime(start_time,"%a %b %d %H:%M:%S %Z %Y"),end_epoch=strptime(end_time,"%a %b %d %H:%M:%S %Z %Y"), diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
References:
Date and time format variables
I hope this will help you.
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Thank you Karma! This was exactly what I needed, appreciate your help 😀
You can achieve this by using strptime function and tostring function.
Can you please try this?
YOUR_SEARCH
|eval start_epoch=strptime(start_time,"%a %b %d %H:%M:%S %Z %Y"),end_epoch=strptime(end_time,"%a %b %d %H:%M:%S %Z %Y"), diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
My Sample Search :
| makeresults
| eval start_time="Fri Oct 8 23:15:05 AEDT 2021",end_time="Fri Oct 8 23:20:05 AEDT 2021"
|eval start_epoch=strptime(start_time,"%a %b %d %H:%M:%S %Z %Y"),end_epoch=strptime(end_time,"%a %b %d %H:%M:%S %Z %Y"), diff_in_sec=end_epoch-start_epoch,duration=tostring(diff_in_sec,"duration")
References:
Date and time format variables
I hope this will help you.
Thanks
KV
▄︻̷̿┻̿═━一 😉
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.