Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to find time difference in below format?

manuraj_rajappa
New Member
‎01-20-2020 07:18 AM

New_Time=2020‎-‎01‎-‎19T15:06:53.134000000Z
Previous_Time=2020‎-‎01‎-‎19T15:06:53.134396700Z

how to find the time difference of above times?

0 Karma
Reply

vnravikumar
Champion
‎01-20-2020 08:44 PM

Hi

Check this

| makeresults 
| eval New_Time="2020-01-19T15:06:53.134000000Z",Previous_Time="2020-01-19T15:06:53.134396700Z" 
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") 
| fieldformat diff = tostring(diff, "duration") 
| table diff
0 Karma
Reply

manuraj_rajappa
New Member
‎01-20-2020 08:04 AM

alt text

Am getting blank result while executing query. Please find the screenshot

Preview file
1 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2020 07:49 AM

Please consider changing your user name. We discourage the use of email addresses here to avoid spam.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2020 07:28 AM

To find the difference between times you must first convert them to epoch form.

... | eval nt = strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z"), pt= strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| eval diff = nt - pt
| fieldformat diff = tostring(diff, "duration")
| table diff
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manuraj_rajappa
New Member
‎01-20-2020 08:36 AM

Getting blank result after query. Please advise.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 07:23 AM

Hi @manuraj.rajappan@tcs.com,
to find time differences, you have to convert your timestamps in epoch time using eval command and the strptime function, something like this:

your search
| eval diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| ...

Ciao.
Giuseppe

0 Karma
Reply

manuraj_rajappa
New Member
‎01-20-2020 08:05 AM

Am getting blank screen while executing query. (Please find above)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 08:15 AM

Hi @manuraj.rajappan@tcs.com,
I think that New_Time and Previous_Time are two field already extracted and present in you logs.
If you haven't them, you have to understand how to extract them from logs or from a correlation.
Can you share two events identifying the above fields?

ciao.
Giuseppe

0 Karma
Reply

manuraj_rajappa
New Member
‎01-20-2020 08:23 AM

Both filelds are available already for each event. No issues with this I guess. Need some help 😞

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 08:38 AM

Hi @manuraj.rajappan@tcs.com,
debug the situation in this way:

index=your_index New_Time=* Previous_Time=*
| table _time New_Time Previous_Time

in this way you can be sure that the fields are in each event

than continue in this way

index=your_index New_Time=* Previous_Time=*
| eval New_epoch_Time=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), Previous_epoch_Time=strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N"), diff=strptime(New_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")-strptime(Previous_Time,"%Y‎-%m‎-%dT%H:%M:%S.%9N")
| table _time New_Time Previous_Time New_epoch_Time Previous_epoch_Time diff

In this way you can see if the conversion in epoch time is correct.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...