Splunk Search

subtracting from "now(), or more specifically the time the query is run

samnew4598
Explorer

Hello all, I'm having trouble getting the correct difference in time when subtracting from the "now() " functions. Any help would be appreciated. Here is my sample query :

 

Where my start time stamp looks like: 2005-07-05T04:28:34.453494Z

 

 

index=main
| where status_1="open"
| eval start=strptime(create_time, "%Y-%m-%dT%H:%M:%S.%6QZ"
| eval current_time=now()
| eval diff=current_time-start
| fieldformat diff=tostring(diff, "duration")
| table _time, id_box, diff, start, end 

Labels (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @samnew4598 

You query is fine, what you are getting assigned to diff is - 5852+05:56:10.546506 , here 5852 is number of days+HH:MM:SS.Milliseconds format. Are you expecting a different output format?

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...