Splunk Search
Highlighted

## Why am I unable to find the time difference between two dates with my current eval statements?

Builder

Hi all.

I have one field called date1 with a timestamp like this:

5/7/16 16:35

I need the time difference (just for the date) in days against `now()`. I am using this expression:

``````...  | eval onlydate=strftime(strptime(date1,"%-m/%d/%y %H:%M"),"%-m/%-d/%y") | eval nowstring=strftime(now(), "%-m/%-d/%y")
``````

And works well, but I can't calculate the time difference between nowstring and onlydate and both are in the same format. Any clue? I tried using

``````... | eval difference=(nowstring - onlydate)
``````

And didn't work.

Thanks!

Tags (5)
1 Solution
Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

strftime is a string format. You need to change to epoch time or a number to do math. So try this

``````| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(now() - onlydate, "duration")
``````
Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Builder

Great, thanks. Datediff result is in epoch, how i can convert to human? i tried with:

``````. | eval formatted_time=strftime(datediff/1000, "%H:%M:%S %d-%m-%Y")
``````

Without luck.

Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Builder

My datediff field has values like 6+08:19:34.000000.

Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Communicator

Something like:

``````...|eval formatted_time=strftime(datediff,"%F %T")
``````

Should do the trick.

Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

datediff is in seconds. duration format is days+hours:mins:seconds.microseconds. what format are you looking for?

Highlighted

## Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

You could do something like this

``````...| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(round(now() - onlydate, 0), "duration") | eval datediff= replace(datediff,"(\d*)\+?(\d+)\:(\d+)\:(\d+)","\1d \2h \3min \4s")
``````
Highlighted

Builder

Thanks a lot!