So I have seen an answer related to this question on Splunk Answers but the answer that was given is not working for me. I have tried the following as my search string and it seems like mktime() is having trouble converting the human readable time I've provided to epoch time.
eventtype=bsm_events | convert mktime(event.time_received_label) as t2 mktime(event.time_created_label) as t1 | eval elapsed = t2-t1 | table t1,t2,elapsed
I've tried mktime() with 2 separate time formats.
- 2014-02-18T21:09:24.804-07:00
- 02/18/2014 9:09:24 PM
I've also tried using strptime() but had issues with that too.
Thanks in advanced.
