Splunk Search

epoch time difference between first and last.

AbubakarShahid
New Member

Hello All,

I am trying to find the difference between first time and last time in epoch time. and i want the difference epoch time to be in human readable .

for example.:
the difference should tell me x amount days or hours.

what i have so far which let converts it in a readable format.

| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

what i need is the time difference to tell me x amount of days or either hours.

I have tried these below but it completely throw away the difference time.
| eval diff_hours = round((lastTime-firstTime)/360, 2)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

| eval new=(lastTime-firstTime)
| eval DIFF=(lastTime+new)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")
| eval DIFF=strftime(DIFF, "%Y-%m-%d %H:%M:%S")

Thanks much guys

Tags (2)
0 Karma

somesoni2
Revered Legend

Try like this

| eval diff = tostring(lastTime-firstTime, "duration" )
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") 
| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you have two timestamps in epoch form then the difference between those times is simple arithmetic.

... | eval diff = lastTime - firstTime

There are a few ways to format the difference:

... | eval diffDays = diff / 86400
... | eval diffHours = diff / 3600
... | eval diffDuration = tostring(diff, "duration")
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...