I have a field serv_time = 44432 in miliseconds.
and the default field _time.
I want to be able to subtract _time - serv_time (_time minus - serv-time)
and get the result in a human readable format ?
_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:
| makeresults
| eval serv_time = 44432
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
_time is an epoch time that holds seconds since some base date. Here's some code that manipulates those values in the way you're asking for:
| makeresults
| eval serv_time = 44432
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (serv_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
I'm not getting the expected result. I am not getting the subtracted time.
index="bayseian" source="/apps/runner/mahem/logs/sachin.out" | rex field=_raw "(?ms)^(?P<boot_end>\\d+\\-\\w+\\-\\d+\\s+\\d+:\\d+)(?:[^ \\n]* ){7}(?P<boot_time>\\d+)" offset_field=_extracted_fields_bounds
| eval serv_time = boot_time
| eval epoch_time = _time
| eval human_epoch_time = strftime(epoch_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = epoch_time - (boot_time/1000)
| eval human_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
| eval sub_time = strftime(sub_time,"%y-%m-%d %H:%M:%S.%N")
| table human_time sub_time
@zacksoft in your uuery human_time and sub_time are both formatting sub_time -- so they'll be the same.
If you change your last line to display:
|table human_epoch_time sub_time human_time
You should see the diff between human_epoch_time and sub_time