epoch time difference between first and last.

AbubakarShahid · ‎09-06-2019

Hello All,

I am trying to find the difference between first time and last time in epoch time. and i want the difference epoch time to be in human readable .

for example.:
the difference should tell me x amount days or hours.

what i have so far which let converts it in a readable format.

| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

what i need is the time difference to tell me x amount of days or either hours.

I have tried these below but it completely throw away the difference time.
| eval diff_hours = round((lastTime-firstTime)/360, 2)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

| eval new=(lastTime-firstTime)
| eval DIFF=(lastTime+new)
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S")

| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")
| eval DIFF=strftime(DIFF, "%Y-%m-%d %H:%M:%S")

Thanks much guys

somesoni2 · ‎09-06-2019

Try like this

| eval diff = tostring(lastTime-firstTime, "duration" )
| eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") 
| eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S")

richgalloway · ‎09-06-2019

If you have two timestamps in epoch form then the difference between those times is simple arithmetic.

... | eval diff = lastTime - firstTime

There are a few ways to format the difference:

... | eval diffDays = diff / 86400
... | eval diffHours = diff / 3600
... | eval diffDuration = tostring(diff, "duration")

---
If this reply helps you, Karma would be appreciated.

epoch time difference between first and last.

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration