Splunk Search

How do I extract the time from this sample timestamp and convert it into seconds to find the different from the current time?

ppanchal
Path Finder

Hi,

This is the timestamp format that I get in the logs: 2016-08-22 14:49:01
I want to separate the date and time from this, convert the time into seconds, and then subtract it with the current time to find the difference.

Please help.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Assuming that timestamp is already recognized by Splunk as the event's timestamp, I see two ways your question could go:

  1. You want to see the difference between the time Splunk indexed the data and the time the event was generated: ... | eval delta = _indextime - _time
  2. You want to see the difference between now and the time the event was generated: ... | eval delta = now() - _time

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Assuming that timestamp is already recognized by Splunk as the event's timestamp, I see two ways your question could go:

  1. You want to see the difference between the time Splunk indexed the data and the time the event was generated: ... | eval delta = _indextime - _time
  2. You want to see the difference between now and the time the event was generated: ... | eval delta = now() - _time

martin_mueller
SplunkTrust
SplunkTrust

Seconds to minutes would be "divide by 60"... anywhere, not just in Splunk 😄

0 Karma

ppanchal
Path Finder

lol, my bad.
Actually, these are existing dashboards which are no more functioning and I am trying to make them working.
Not sure why the creator did divide by 60000 initially...

0 Karma

ppablo
Retired

Hi @ppanchal

If the the answer and comments by @martin_mueller solved your question, please don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote the answer and/or any of his comments you found especially helpful!

Patrick

0 Karma

ppanchal
Path Finder

I have done that thanks 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can use eval's round(). Why are you dividing by 60000?

0 Karma

ppanchal
Path Finder

I want to convert the seconds back to minutes at the end.

Sorry I am new to splunk so just trying to figure out things.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah, that's different. You'll need strptime() from eval: docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CommonEvalFunctions

Something like ... | eval delta = now() - strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S")

ppanchal
Path Finder

Great that worked 🙂

But now I am getting the seconds in the below format,
1471899601.000000
How should I remove the 0's after the decimal point?

Here is my complete query,

index="ocsmonitor"  sourcetype="idle_alert"|  eval a =strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S")| stats latest(a) as latests |eval tnow=now()| eval b = (tnow-latests)/60000| table b

The output for b is 0.00020000000.

I want to remove the extra 0's.

Please help.

0 Karma

ppanchal
Path Finder

I have a field called CREATION_TIME.
CREATION_TIME=2016-08-22 14:49:01

How will I convert this into seconds?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...