Re: How to get the time difference after convertin...

payton_tayvion · ‎07-23-2019

I'm currently trying to get the duration of some events, but when i use this search nothing is coming back:

| tstats count earliest(_time) AS first latest(_time) as last FROM datamodel=Vulnerabilities where (nodename="Vulnerabilities" Vulnerabilities.severity!="informational") by Vulnerabilities.signature | eval first_time=strftime(first,"%Y-%m-%d %H:%M:%S") , last_time=strftime(last,"%Y-%m-%d %H:%M:%S") | fields - first,last |eval duration=last_time-first_time

The strftime command converts the unix time, but im not able to get the difference

adonio · ‎07-23-2019

maybe change the order:

| tstats count earliest(_time) AS first latest(_time) as last FROM datamodel=Vulnerabilities where (nodename="Vulnerabilities" Vulnerabilities.severity!="informational") by Vulnerabilities.signature 
| eval duration=last - first
| eval first_time=strftime(first,"%Y-%m-%d %H:%M:%S") , last_time=strftime(last,"%Y-%m-%d %H:%M:%S") 
| fields - first,last duration

payton_tayvion · ‎07-23-2019

when i do it that way and convert the duration, the results are dates thats in 1970s vs it actually being the duration of the first and last time.

How to get the time difference after converting unix time using strftime?

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!