Hi ,
There are two fields named "start_time" and "end_time" extracted from logs and displayed in the format "03/21/14 01:11:13".Can someone tell the search query on how to calculate the differnce between two time and display the difference in terms of seconds.For example
Start_time End_time duration
03/21/14 01:11:13 03/21/14 01:11:15 2
Use the convert command to change them too epoch time. Then use eval to get the difference. In seconds.
Use the convert command to change them too epoch time. Then use eval to get the difference. In seconds.
I often find the various functions of convert
to be confusing to beginners, so here's a working example:
| stats count | eval startTime = "03/21/14 01:11:13" | eval endTime = "03/21/14 01:11:15" | convert mktime(*Time) timeformat="%m/%d/%y %H:%M:%S" | eval diff = endTime - startTime