Solved: Subtracting between two _time (And get result in ...

zacksoft · ‎04-10-2018

My log contain some events that we call 'bonus_events'. And 'bonus_events' happen once or twice a week.
I am calculating delta(subtracting between two consecutive 'bonus_events') and getting the result in a weird format (i.e -25705.655 etc)
I want to get this weird format converted into 'days'. So that it should tell me "How many days back the last bonus_event happened?"

This is what I have written,
host="lak1200.ramana.com" source="/apps/games/prizes-*" bonus
| delta _time AS last_bonus_event p=1 | table last_bonus_event

FrankVl · ‎04-10-2018

_time is populated with a unix epoch timestamp value. Which basically is a number of seconds since jan 1 1970. So if you subtract 2 _time values, you get a number of seconds. To translate that to days, simply divide by the number of seconds in a day (3600*24) 🙂

View solution in original post

FrankVl · ‎04-10-2018

_time is populated with a unix epoch timestamp value. Which basically is a number of seconds since jan 1 1970. So if you subtract 2 _time values, you get a number of seconds. To translate that to days, simply divide by the number of seconds in a day (3600*24) 🙂

Subtracting between two _time (And get result in days)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases