Hi,
I'm trying to calculate the time without errors in the system. To do that I'm doing something like
| eval now = now()
| convert timeformat="%Y-%m-%d %H:%M:%S.%3N" mktime(_time) AS epoch_time
| eval diff = now - epoch_time
| eval TimeWithoutErrors = strftime(diff,"%H:%M:%S")
| eval TimeNow = strftime(now,"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(epoch_time,"%Y-%m-%d %H:%M:%S.%3N")
| head 1
| table TimeWithoutErrors, TimeNow, _time, EventTime
And the values I get are:
Why I'm getting an hour more that what I should get?
Thank you very much,
Vicenç
Try something like this. The _time field is already epoch so you don't need to convert it again.
your base search
| head 1
| eval TimeWithoutErrors = tostring(now()-_time,"duration")
| eval TimeNow= strftime(now(),"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| table TimeWithoutErrors, TimeNow, _time, EventTime
Try something like this. The _time field is already epoch so you don't need to convert it again.
your base search
| head 1
| eval TimeWithoutErrors = tostring(now()-_time,"duration")
| eval TimeNow= strftime(now(),"%Y-%m-%d %H:%M:%S.%3N")
| eval EventTime = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")
| table TimeWithoutErrors, TimeNow, _time, EventTime
Works perfectly, thanks!