Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are milliseconds getting padded with multiple zeros when converting timestamps to epoch format to calculate time difference?

ambujhbti
New Member
‎07-15-2015 02:15 PM

Hello ,

I am trying to calculate time diff between two fields in a single event.

My current search:

sourcetype="XXXXXX"   host="XXXXXX" |convert timeformat="%m/%d/%Y %H:%M:%S:%N" mktime(End_time)|convert timeformat="%m/%d/%Y %H:%M:%S:%N" mktime(WILY_Date)| eval diff=End_time-WILY_Date| where diff <0| eval eventid=index + "__" + _cd+"__" + splunk_server|table eventid diff End_time WILY_Date

I also tried 

sourcetype="XXXXXX"   host="XXXXXX"  |eval diff= strptime(End_time,"%m/%d/%Y %H:%M:%S:%3N")- strptime(WILY_Date,"%m/%d/%Y %H:%M:%S:%3N")  |where diff <0| eval eventid=index + "__" + _cd+"__" + splunk_server|table eventid diff End_time WILY_Date

But what I see is, when then the timestamp is converted to epoch format, the milliseconds field is padded with 0s.

For example:

WILY_Date: 06/25/2015 09:59:43:58
End_time: 06/25/2015 09:59:43:230

the above time is converted to 

WILY_Date: 06/25/2015 09:59:43:5800000
End_time: 06/25/2015 09:59:43:23000000

So that difference between diff=End_time-WILY_Date results in negative values. For more clarity I have attached the screen-shot.

I don't know what to do about it. Can somebody help me? It's already eaten much of my time.

Thank you!

Preview file
63 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2015 03:18 PM

The key issue is that your subseconds aren't padded with zeroes to the left. Basically, Splunk is seeing 43.58 seconds and not 43 seconds, 58 milliseconds. Use this instead of your convert:

... | eval WILY_Date = strptime(replace(replace(WILY_Date, ":(\d)$", ":0\1"), ":(\d\d)$", ":0\1"), "%m/%d/%Y %H:%M:%S:%N")

This will add one or two zeroes between the colon and the milliseconds to turn it into proper subseconds.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-15-2015 03:18 PM

The key issue is that your subseconds aren't padded with zeroes to the left. Basically, Splunk is seeing 43.58 seconds and not 43 seconds, 58 milliseconds. Use this instead of your convert:

... | eval WILY_Date = strptime(replace(replace(WILY_Date, ":(\d)$", ":0\1"), ":(\d\d)$", ":0\1"), "%m/%d/%Y %H:%M:%S:%N")

This will add one or two zeroes between the colon and the milliseconds to turn it into proper subseconds.

Reply
Solved! Jump to solution

ambujhbti
New Member
‎07-16-2015 08:51 AM

Hello Martin,

Thank you so much!

0 Karma
Reply
Solved! Jump to solution

ambujhbti
New Member
‎07-15-2015 02:26 PM

Hello,

One more example

TimeDifference End_time WILY_Date
-.22 07/15/2015 16:21:09:343000000 07/15/2015 16:21:09:560000000
-.65 07/15/2015 16:21:09:299000000 07/15/2015 16:21:09:950000000
-.53 07/15/2015 16:21:08:269000000 07/15/2015 16:21:08:800000000
-.29 07/15/2015 16:21:08:155000000 07/15/2015 16:21:08:440000000
-.3 07/15/2015 16:21:21:550000000 07/15/2015 16:21:21:580000000
-.11 07/15/2015 16:21:21:505000000 07/15/2015 16:21:21:620000000
-.44 07/15/2015 16:21:21:400000000 07/15/2015 16:21:21:840000000
-.63 07/15/2015 16:21:21:347000000 07/15/2015 16:21:21:980000000

Thank you!

0 Karma
Reply
Solved! Jump to solution

ambujhbti
New Member
‎07-15-2015 02:25 PM

Hello ,

I am presenting one more example to show data.

TimeDifference End_time WILY_Date
-.22 07/15/2015 16:21:09:343000000 07/15/2015 16:21:09:560000000
-.65 07/15/2015 16:21:09:299000000 07/15/2015 16:21:09:950000000
-.53 07/15/2015 16:21:08:269000000 07/15/2015 16:21:08:800000000
-.29 07/15/2015 16:21:08:155000000 07/15/2015 16:21:08:440000000
-.3 07/15/2015 16:21:21:550000000 07/15/2015 16:21:21:580000000
-.11 07/15/2015 16:21:21:505000000 07/15/2015 16:21:21:620000000
-.44 07/15/2015 16:21:21:400000000 07/15/2015 16:21:21:840000000
-.63 07/15/2015 16:21:21:347000000 07/15/2015 16:21:21:980000000

Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...