Calculating difference between time of 2 events

TheMorf · ‎10-03-2023

I am trying to extract the difference of time(duration) of 2 events in days.

I have 2 saperate event for the same ID. One is the starting event and the second is the ending event. Looking as follows.

event1 start:

[2023-05-24 12:02:24.674 CEST_] ID:1234

Event 2 end:

[2023-05-30 6:13:04:954 CEST_] ID:1234

De following query i tried:

Gebeurtenis(=id) =000057927_018448922
|stats min(_time) as start, max(_time) as end, range(_time) as diff by Gebeurtenis
|eval start=strftime(Aanmelden, "%d/%m/%Y")
|eval end=strftime(Afmelden, "%d/%m/%Y")
|eval diff=strftime(diff, "%d/%m/%Y")

the result i get is:

Diff is calculating the beginning time of splunk and not the 6 days of difference.

Any help is welcom.

richgalloway · ‎10-03-2023

The value of the diff field is in seconds. The strftime function adds that value to 1 Jan 1970 to come up with a timestamp. Obviously, that is not the goal. Expressing diff in days can be done in a couple of ways:

divide seconds by 86400 to get a number of days

| eval days=round(diff/86400,0)

Use the tostring function to convert seconds into d:H:M:S format.

| eval days=tostring(diff, "duration")

---
If this reply helps you, Karma would be appreciated.

Calculating difference between time of 2 events

stats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio