Hello all,
This is my first post.
I am trying to calculate time diff between two fields in a single event.
For example:
Time_HTTP_Start: 06/25/2015 09:59:43:586
Time_HTTP_Sent: 06/25/2015 09:59:43:830
My current search:
sourcetype="XXXXXX" host="XXXXXX" |eval diff= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")- strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")|table diff
I only get an empty result. Can somebody tell me what I am missing? I am sure its very easy for you guys!
Thank you.
I would break it down a little more, just so I could see what is happening:
sourcetype="XXXXXX" host="XXXXXX"
| eval sent= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")
| eval start= strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= sent-start
| table Time_HTTP_Sent Time_HTTP_Start sent start diff
I would break it down a little more, just so I could see what is happening:
sourcetype="XXXXXX" host="XXXXXX"
| eval sent= strptime(Time_HTTP_Sent,"%m/%d/%Y %H:%M:%S:%3N")
| eval start= strptime(Time_HTTP_Start,"%m/%d/%Y %H:%M:%S:%3N")
| eval diff= sent-start
| table Time_HTTP_Sent Time_HTTP_Start sent start diff
Thank you!
First, make sure your fields are extracted correctly:
sourcetype="XXXXXX" host="XXXXXX" | table _time Time_HTTP_Sent Time_HTTP_Start _raw
Thank you. I have checked it and found that the data was not extracted. Thank you again!