calculate Difference between 2 time fields is not...

nivethainspire_ · ‎05-22-2020

I tried to difference between 2 dates. It is not working properly.

Here is my query,

I need the time difference between Last_date and now() and display as Date.
Can someone help me out.

to4kawa · ‎05-23-2020

index=s_iss sourcetype=S_AD Name=*
| eval Last_Date = "2019-09-28 17:09:19"
| eval diff=_time - strptime(Last_Date,"%F %T")
| eval Last_Date=mvindex(split(Last_Date," "),0)
| table _time diff Name Last_Date

Why do you calculate now() and Last_Date?
It is fixed value.

This query aims to calculate the diff between _time and Last_Date .
How about this?

gcusello · ‎05-22-2020

Hi @nivethainspire_07,
in you example _time is a variable that you need to convert in epochtime (with strptime), in real events, you don't need to do this convertion because _time is already in epochtime.

Then, in your example, you don't calculate the difference between now and Last_Date but the difference between _time and Last_Date.
Then if you want to use _time in stats, you have to group values (using bin command) before stats or you have to use timechart command.

So, if you want the difference between Last_Date and now, you could try something like this.

index=s_iss sourcetype=S_AD 
| fillnull value="" 
| eval diff=now()-strptime(Last_Date,"%Y-%m-%d %H:%M:%S.%Q")
| timechart span=1h latest(diff) AS date by Name

Ciao.
Giuseppe

calculate Difference between 2 time fields is not working.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms