Solved: Re: Trying to get difference between _time and _in...

vinay4444 · ‎12-04-2015

Tried using below search, but can't get result. I get null values in diff:

XXX| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")  |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")  | eval diff= tostring(indextime - capturetime) | table indextime capturetime diff

Am I missing something?

jplumsdaine22 · ‎12-04-2015

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

View solution in original post

jplumsdaine22 · ‎12-04-2015

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

vinay4444 · ‎12-04-2015

i tried that but it does not give the difference in min or secs
e.g
capturetime indextime diff
2015-12-04 07:33:44 2015-12-04 07:33:50 6

jplumsdaine22 · ‎12-04-2015

The diff field is in seconds.
The _indextime and _time fields are in unix epoch time format, the number of seconds since January 1970. When you subtract one from the other the result is a value expressed in seconds

vinay4444 · ‎12-04-2015

Ok got it thanks!

jplumsdaine22 · ‎12-04-2015

No problem mate. If that's working for you do you mind accepting the answer?

Cheers

Trying to get difference between _time and _indextime in secs format

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...