Hello all, I'm having trouble getting the correct difference in time when subtracting from the "now() " functions. Any help would be appreciated. Here is my sample query :
Where my start time stamp looks like: 2005-07-05T04:28:34.453494Z
index=main
| where status_1="open"
| eval start=strptime(create_time, "%Y-%m-%dT%H:%M:%S.%6QZ"
| eval current_time=now()
| eval diff=current_time-start
| fieldformat diff=tostring(diff, "duration")
| table _time, id_box, diff, start, end
Hi @samnew4598
You query is fine, what you are getting assigned to diff is - 5852+05:56:10.546506 , here 5852 is number of days+HH:MM:SS.Milliseconds format. Are you expecting a different output format?