Solved: Trying to get difference between _time and _indext... - Splunk Community

Splunk Search

Tried using below search, but can't get result. I get null values in diff:

XXX| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")  |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S")  | eval diff= tostring(indextime - capturetime) | table indextime capturetime diff

Am I missing something?

1 Solution

Solution

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

View solution in original post

Solution

Just do the diff calculation on the actual epoch value, before your strftime evals.

XXX| eval diff= _indextime - _time | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") |eval capturetime=strftime(_time,"%Y-%m-%d %H:%M:%S") |  | table indextime capturetime diff

i tried that but it does not give the difference in min or secs
e.g
capturetime indextime diff
2015-12-04 07:33:44 2015-12-04 07:33:50 6

The diff field is in seconds.
The _indextime and _time fields are in unix epoch time format, the number of seconds since January 1970. When you subtract one from the other the result is a value expressed in seconds

Ok got it thanks!

No problem mate. If that's working for you do you mind accepting the answer?

Cheers

Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...