I am trying to extract the difference of time(duration) of 2 events in days.
I have 2 saperate event for the same ID. One is the starting event and the second is the ending event. Looking as follows.
event1 start:
[2023-05-24 12:02:24.674 CEST_] ID:1234
Event 2 end:
[2023-05-30 6:13:04:954 CEST_] ID:1234
De following query i tried:
Gebeurtenis(=id) =000057927_018448922
|stats min(_time) as start, max(_time) as end, range(_time) as diff by Gebeurtenis
|eval start=strftime(Aanmelden, "%d/%m/%Y")
|eval end=strftime(Afmelden, "%d/%m/%Y")
|eval diff=strftime(diff, "%d/%m/%Y")
the result i get is:
Diff is calculating the beginning time of splunk and not the 6 days of difference.
Any help is welcom.
... View more