Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

epoch time difference between first and last.

AbubakarShahid
New Member
‎09-06-2019 09:56 AM

Hello All,

I am trying to find the difference between first time and last time in epoch time. and i want the difference epoch time to be in human readable .

for example.:
the difference should tell me x amount days or hours.

what i have so far which let converts it in a readable format.

| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

what i need is the time difference to tell me x amount of days or either hours.

I have tried these below but it completely throw away the difference time.
| eval diff_hours = round((lastTime-firstTime)/360, 2)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

| eval new=(lastTime-firstTime)
| eval DIFF=(lastTime+new)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")
| eval DIFF=strftime(DIFF, "%Y-%m-%d %H:%M:%S")

Thanks much guys

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎09-06-2019 12:00 PM

Try like this

| eval diff = tostring(lastTime-firstTime, "duration" )
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") 
| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-06-2019 11:59 AM

If you have two timestamps in epoch form then the difference between those times is simple arithmetic.

... | eval diff = lastTime - firstTime

There are a few ways to format the difference:

... | eval diffDays = diff / 86400
... | eval diffHours = diff / 3600
... | eval diffDuration = tostring(diff, "duration")
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...