Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare usual time to Epoch time

luckyman80
Path Finder
‎10-07-2021 02:56 AM

Hi Experts! ,

                      Wondered if there was a way of doing this. I have a need to compare a timestamp of a log to an EPOCH time also on the same log line and show the Diff

Example

2021-10-05 04:49:10.138 [pool-1-thread-1] INFO order - [Pool]Book={inst=example,1=[],2=[feed-|time=1633427347600000000}

Manually looking the difference is 

2021-10-05 04:49:10.138 -(Standard time)

2021-10-05 04:49:07.600 -(EPOCH time)

Difference 2.54 seconds

Thanks in advance

Labels (1)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 09:52 AM

OK extract epoch like this

| rex "time=(?<epoch>\d*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-07-2021 08:56 AM

Try this

Your base search| eva diff=_time-time | table diff
0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎10-07-2021 09:31 AM
Spoiler
i did try that .. now I get 
_time as 2021-10-07 12:30:03.839

and diff as -1633624103220375800.000

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-07-2021 11:34 AM

Try this

Your base search | eval diff=abs(_time-(time/1000000000))

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 03:43 AM

Is your "standard" time already extracted as _time?

Your EPOCH time looks like it might be in nano-seconds, so try

| eval diff=_time-(epoch/1000000000)
0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎10-07-2021 03:55 AM

Hi! Thanks for the quick response!  I haven't Extracted time yet (not sure how to do that) also how do I display it after ? sorry for all the questions 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 03:58 AM

You may find it has already been extracted for you when the events were indexed. What fields do you have extracted?

0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎10-07-2021 05:10 AM

Apols if im being stupid . I tried 

| eval diff=_time-(epoch/1000000000)|table diff

but dont see anything 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 05:17 AM

What do you get if you just do 

<<your search>>
| table _time epoch
0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎10-07-2021 08:04 AM

_time looks like this 

2021-10-07 08:28:04.211

epoch column  is blank 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 09:52 AM

OK extract epoch like this

| rex "time=(?<epoch>\d*)"
0 Karma
Reply
Solved! Jump to solution

luckyman80
Path Finder
‎10-07-2021 01:06 PM

thank you ! worked great 

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...