Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time difference between 2 fields

nathanluke86
Communicator
‎02-18-2020 06:15 AM

How can I get the time difference between two fields below

alt text

TIA

Preview file
5 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-18-2020 06:53 AM

Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec 

| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")

View solution in original post

Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-18-2020 06:54 AM

Use:

| eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")

Sample query:

| makeresults | eval time="02/18/20 12:00:45",  timenow="02/18/20 14:12:32" | eval time_diff = strptime(timenow, "%m/%d/%y %H:%M:%S") - strptime(time, "%m/%d/%y %H:%M:%S")
Reply
Solved! Jump to solution

nathanluke86
Communicator
‎02-18-2020 07:02 AM

Thanks @manjunathmeti

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-18-2020 06:53 AM

Like this.. This will convert your fields to epoch time, find the difference, then convert to hours/min/sec 

| eval time_epoch=strptime(time, "%m/%d/%y %H:%M:%S")
| eval timenow_epoch=strptime(timenow, "%m/%d/%y %H:%M:%S")
| eval diff=timenow_epoch-time_epoch
| eval diff=strftime(diff, "%H:%M:%S")
Reply
Solved! Jump to solution

nathanluke86
Communicator
‎02-18-2020 07:02 AM

Thankyou @skoelpin

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...