Solved: Trying to get difference between _time and _indext... - Splunk Community

Splunk Search

Tried using below search, but can't get result. I get null values in diff:

XXX| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")  |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")  | eval diff= tostring(indextime - capturetime) | table indextime capturetime diff

Am I missing something?

1 Solution

Solution

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

View solution in original post

Solution

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

i tried that but it does not give the difference in min or secs
e.g
capturetime indextime diff
2015-12-04 07:33:44 2015-12-04 07:33:50 6

The diff field is in seconds.
The _indextime and _time fields are in unix epoch time format, the number of seconds since January 1970. When you subtract one from the other the result is a value expressed in seconds

Ok got it thanks!

No problem mate. If that's working for you do you mind accepting the answer?

Cheers

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...