New_Time=2020-01-22T03:17:36.385000000Z
Previous_Time=2020-01-22T03:17:36.388208200Z
I tried below query and getting blank results:
sourcetype="XXXXXX" host="XXXXXX"
| eval sent= strptime(New_Time,"%m/%d/%Y %H:%M:%S:%9N")
| eval start= strptime(Previous_Time,"%m/%d/%Y %H:%M:%S:%9N")
| eval diff= sent-start
| table New_Time, Previous_Time, sent, start, diff
try with %Y-%m-%dT%H:%M:%S:%9NZ
date +"%Y-%m-%dT%H:%M:%S:%9NZ"
2020-01-22T09:31:49:779258877Z
Hi
Check this
| makeresults
| eval New_Time="2020-01-22T03:17:36.385000000Z",Previous_Time="2020-01-22T03:17:36.388208200Z"
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| fieldformat diff = tostring(diff, "duration")
| table diff
Thanks Ravi. But my concern is: I need to configure a query for time differences greater than 3 seconds.
New_Time and Previous_Time are the fields for each event in all servers.
Above query helps me for single time difference. I need to run for all servers and also for all events. How to configure this query?
I tried with below query but no luck.
| eval New_Time, Previous_Time
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| fieldformat diff = tostring(diff, "duration")
| table diff
Hi
check this
sourcetype="XXXXXX" host="XXXXXX"
| eval temp = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| fieldformat diff = tostring(temp, "duration")
| table New_Time, Previous_Time, sent, start, diff,temp |where temp >3
Just twisting @vnravikumar 's answer.
@manurajrajappan
Can you please try this?
YOUR_SEARCH | eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| where diff >3
| fieldformat diff = tostring(diff, "duration")
| table New_Time, Previous_Time, diff
Sample:
| makeresults
| eval New_Time="2020-01-22T03:17:36.385000000Z",Previous_Time="2020-01-22T03:17:39.388208200Z"
| rename comment as "Upto this is for data generation only"
| eval diff = strptime(Previous_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z") -strptime(New_Time, "%Y-%m-%dT%H:%M:%S.%9N%Z")
| where diff >3
| fieldformat diff = tostring(diff, "duration")
| table New_Time, Previous_Time, diff