- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert time format to epoch time in order ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert time format to epoch time in order to calculate difference?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears there are some special chars in the data. Try this.
.... | rex mode=sed field=Previous_Time "s/(\W)//g"| eval Previous_Time=strptime(Previous_Time, "%Y%m%dT%H%M%S%6N") | rex mode=sed field=New_Time "s/(\W)//g"| eval New_Time=strptime(New_Time, "%Y%m%dT%H%M%S%6N") | eval diff=New_Time-Previous_Time | eval diff=tostring(diff, "duration") | eval New_Time=strftime(New_Time, "%Y-%m-%dT%H:%M:%S.%6N") | eval Previous_Time=strftime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%6N")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From https://answers.splunk.com/answers/180660/how-to-convert-a-timestamp-field-to-epoch-format.html
First extract the timestamp into a field if it is not already set as the timestamp _time.
Then add the following command where you substitute your field name
... | convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime("yourfieldname")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its the field values, I get from the event
Previous_Time - 2016-12-01T15:34:37.658562500Z
New_Time - 2016-12-01T15:36:13.345154500Z
I have to find the difference b/w these times
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, try this to get the difference in raw seconds.
... | convert timeformat="%Y-%m-%dT%H:%M:%S.%9NZ" mktime("Previous_Time") as previousepoch mktime("New_Time") as newepoch | eval difftime = newepoch - previousepoch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried, its not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is it outputting? Are the new fields newepoch and previousepoch being generated at all?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
extract the field using regex ( if its not the timestamp of the log) and you can try strptime and strftime to strip and form the timestamps
|eval time=strptime(yourfiled,"%H:%M:%S.%N") note you can use number to limit the milli seconds ( ex %3N gives 3 decimal values)
once done you can calculate the difference and form the time afterwards
| eval calculatedtime=strftime(yourfiled,"%H:%M:%S.%N")
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
