Splunk Search
Highlighted

Why am I unable to find the time difference between two dates with my current eval statements?

Builder

Hi all.

I have one field called date1 with a timestamp like this:

5/7/16 16:35

I need the time difference (just for the date) in days against now(). I am using this expression:

...  | eval onlydate=strftime(strptime(date1,"%-m/%d/%y %H:%M"),"%-m/%-d/%y") | eval nowstring=strftime(now(), "%-m/%-d/%y")

And works well, but I can't calculate the time difference between nowstring and onlydate and both are in the same format. Any clue? I tried using

... | eval difference=(nowstring - onlydate)

And didn't work.

Thanks!

0 Karma
Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

strftime is a string format. You need to change to epoch time or a number to do math. So try this

| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(now() - onlydate, "duration")

View solution in original post

Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Builder

Great, thanks. Datediff result is in epoch, how i can convert to human? i tried with:

. | eval formatted_time=strftime(datediff/1000, "%H:%M:%S %d-%m-%Y")

Without luck.

0 Karma
Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Builder

My datediff field has values like 6+08:19:34.000000.

0 Karma
Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Communicator

Something like:

...|eval formatted_time=strftime(datediff,"%F %T")

Should do the trick.

0 Karma

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

datediff is in seconds. duration format is days+hours:mins:seconds.microseconds. what format are you looking for?

0 Karma
Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Legend

You could do something like this

...| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(round(now() - onlydate, 0), "duration") | eval datediff= replace(datediff,"(\d*)\+?(\d+)\:(\d+)\:(\d+)","\1d \2h \3min \4s")
Highlighted

Re: Why am I unable to find the time difference between two dates with my current eval statements?

Builder

Thanks a lot!

0 Karma