Splunk Search

Subtracting two timestamps

guimilare
Communicator

Hi Splunkers.

I have one issue about subtracting two timestamps.
I have the following fields:

start=20150917 18:28:32.460
end=20150917 18:28:32:500

I tried something like this:

<mysearch> |  eval result_field=end-start

but no lucky.

I need the output as result_field=00:00:00.040.

Can you guys help me?
Thank you!
Best regards.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration")

Updated per new req

<Your search > | eval result_field=strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N") | stats avg(result_field) as result_field | eval result_field=tostring(result_field,"duration")

View solution in original post

sunilsk1
Path Finder

It still not working for . i have this sample log entry where boot-time for each machine in ENV are reported
I have 2016-05,ENV,R1,W,05/25/16 21:00:00.000,05/26/16 02:00:00.000,05/25/16 23:09:00.000,05/26/16 05:12:00.000,183

Where my "Scheduled End Time" : 05/26/16 02:00:00.000
"Actual End Time" : 05/26/18 05:12:00.000
I wanted the difference in minutes between Actual End Time and Scheduled End time. (192 minutes)

I have tried this approach
{search}|eval ac_end='Actual End Time'|convert mktime(ac_end) as ac_time timeformat="%Y-%m-%d %H:%M:%S"

0 Karma

DavidHourani
Super Champion

Hey,

What you're looking for is a tostring conversion.

Simply use the following:

 <mysearch> |  eval result_field=end-start | eval result_field = tostring(result_field,"duration")

Or simply:

<mysearch> |  eval result_field = tostring(end-start,"duration")

Let me know how that works out for you!

Cheers,
David

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

<Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration")

Updated per new req

<Your search > | eval result_field=strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N") | stats avg(result_field) as result_field | eval result_field=tostring(result_field,"duration")

guimilare
Communicator

Hi Somesoni2,
this appears to work!
How can I get an average from result_field?
I tried to do

 <Your search> | eval result_field=tostring(strptime(end,"%Y%m%d %H:%M:%S.%N")-strptime(start,"%Y%m%d %H:%M:%S.%N"),"duration") | avg(result_field) as Average

but no success.
Regards

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The above query generates a string field with the format you requested, so can't get the avg. Try the updated query.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...