I have one field called date1 with a timestamp like this:
I need the time difference (just for the date) in days against
now(). I am using this expression:
... | eval onlydate=strftime(strptime(date1,"%-m/%d/%y %H:%M"),"%-m/%-d/%y") | eval nowstring=strftime(now(), "%-m/%-d/%y")
And works well, but I can't calculate the time difference between nowstring and onlydate and both are in the same format. Any clue? I tried using
... | eval difference=(nowstring - onlydate)
And didn't work.
strftime is a string format. You need to change to epoch time or a number to do math. So try this
| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(now() - onlydate, "duration")
Great, thanks. Datediff result is in epoch, how i can convert to human? i tried with:
. | eval formatted_time=strftime(datediff/1000, "%H:%M:%S %d-%m-%Y")
...|eval formatted_time=strftime(datediff,"%F %T")
Should do the trick.
datediff is in seconds. duration format is days+hours:mins:seconds.microseconds. what format are you looking for?
You could do something like this
...| eval onlydate=strptime(date1,"%-m/%d/%y %H:%M") | eval datediff=tostring(round(now() - onlydate, 0), "duration") | eval datediff= replace(datediff,"(\d*)\+?(\d+)\:(\d+)\:(\d+)","\1d \2h \3min \4s")