Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the difference between 2 times in date time format?

karthikTIL
Path Finder
‎08-28-2014 12:12 AM

HI, I have two fields A and B with time format as 1/07/2014 3:41:12 PM.
Please let me know how to find difference between A and B in hours with this format?

e.g., if A is 1/07/2014 3:41:12 PM and B is 2/07/2014 2:41:12 PM, B-A should be 23 hours

Reply
1 Solution
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎08-28-2014 12:53 AM

Hi,

you could convert your two timestamps to epoch time, which is then seconds. Then you can calculate the difference between your timestamps in seconds (your B-A). After this you divide the result by 3600 which is an hour in seconds. If you want, you can then round to a full hour or whatever you like:

| eval epoch_A=strptime(A,"%d/%m/%Y %I:%M:%S %p") | eval epoch_B=strptime(B,"%d/%m/%Y %I:%M:%S %p") | eval diff=round(('epoch_B'-'epoch_A') / 3600)

View solution in original post

Reply
Solved! Jump to solution

karthikTIL
Path Finder
‎09-08-2014 08:59 PM

HI, is there a way in splunk to get the difference only on the business hours i.e., from 9AM to 5PM and excluding saturday,sunday,public holidays?

0 Karma
Reply
Solved! Jump to solution
Solution

tom_frotscher
Builder
‎08-28-2014 12:53 AM

Hi,

you could convert your two timestamps to epoch time, which is then seconds. Then you can calculate the difference between your timestamps in seconds (your B-A). After this you divide the result by 3600 which is an hour in seconds. If you want, you can then round to a full hour or whatever you like:

| eval epoch_A=strptime(A,"%d/%m/%Y %I:%M:%S %p") | eval epoch_B=strptime(B,"%d/%m/%Y %I:%M:%S %p") | eval diff=round(('epoch_B'-'epoch_A') / 3600)
Reply
Solved! Jump to solution

karthikTIL
Path Finder
‎08-28-2014 06:15 PM

Excellent,Thanks Tom

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎08-28-2014 01:05 AM

Try to replace the " with ' symbols for the first argument in the strptime function. Like this:

"eval epoch_A=strptime('Assigned_TIME',"%d/%m/%Y %I:%M:%S %p") | eval epoch_B=strptime('In Progress_TIME',"%d/%m/%Y %I:%M:%S %p") | eval diff=round(('epoch_B'-'epoch_A') / 3600)|table diff"
Reply
Solved! Jump to solution

karthikTIL
Path Finder
‎08-28-2014 12:57 AM

I dont find output when i mention this
"eval epoch_A=strptime("Assigned_TIME","%d/%m/%Y %I:%M:%S %p") | eval epoch_B=strptime("In Progress_TIME","%d/%m/%Y %I:%M:%S %p") | eval diff=round(('epoch_B'-'epoch_A') / 3600)|table diff"

fyi., A is Assigned_Time and B is In Progress_Time

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...