Hi,
Looking out to calculate and find out the time differences between two time stamps (milliseconds and seconds). Please help.
B_Timestamp Minus A_Timestamp (Need to achieve this logic).
A_Timestamp B_Timestamp epoc_ATimestamp epoc_BTimestamp
2017-03-09-11:59:59.799 2017-03-09-11:59:59.817 1488978000.000000 1488978000.000000
2017-03-09-11:59:59.722 2017-03-09-11:59:59.754 1488978000.000000 1488978000.000000
index="idx_sample" | eval DateTime = split(DateTime," ") | eval A_Timestamp = mvindex(DateTime,0) | eval B_Timestamp = mvindex(DateTime,1) | eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d") | eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d") | table A_Timestamp,B_Timestamp,epoc_ATimestamp,epoc_BTimestamp
The easiest way is to translate them both into epoch time, which is in seconds already. (Your Epoch timestamps are incorrect.)
| eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d-%H:%M:%S.%3Q")
| eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d-%H:%M:%S.%3Q")
note - %3Q, %3N or %Q will all work to extract the 3-digit millisecond data.
Try like this (time format updated).
index="idx_sample" | eval DateTime = split(DateTime," ") | eval A_Timestamp = mvindex(DateTime,0) | eval B_Timestamp = mvindex(DateTime,1) | eval epoc_ATimestamp=strptime(A_Timestamp,"%Y-%m-%d-%H:%M:%S.%3N") | eval epoc_BTimestamp=strptime(B_Timestamp,"%Y-%m-%d-%H:%M:%S.%3N") | table A_Timestamp,B_Timestamp,epoc_ATimestamp,epoc_BTimestamp
See this for more information on time formats
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
what's the difference between %3N and %3Q?
Both will be same if a width is specified. I believe in strptime both %N and %Q behave the same. There is a great explanation for this difference in the comments section of the link that I shared.
Since the comment section mentioned in this answer is gone from docs but this thread comes up first when googling for splunk strptime %Q %N (at least for me), I'll add a link to a different place where I found an explanation by @DalJeanis : https://community.splunk.com/t5/Splunk-Search/How-can-I-find-the-time-duration-between-two-fields/m-...
Basically, %N and %Q can do the same if you provide them with a length (such as %6N or %3N). Without length specified, %N will default to three and %Q to six digits.
Thanks, I initially called out %3Q, then assumed yours was right when i couldn't distinguish them in the docs. I'll change mine back.