Subtract dates into a number using Splunk

93 Views Asked by zachaz35 At 21 December 2023 at 23:51

I am trying to subtract two times in a streamstats command in Splunk query and I am receiving an emptry string. The time is in the format Y-M-DTHH:MM:SS.N

For example, there are two dates which could be (1) 2023-12-21T01:02:03.123 and (2) 2023-12-21T01:02:03.200

The subtract would be (2) - (1) to get some kind of time duration (like 77 in this case).

My Splunk query:

index=web sourcetype=my_source | eval timestamp = strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%N") | streamstats global=f current=f window=2 range(timestamp) as duration | table _time, timestamp

I'm trying to subtract two dates and I keep receiving empty string values with no numerical representations.

Original Q&A

There are 1 best solutions below

RichG On 22 December 2023 at 01:03

You can't subtract dates in Splunk. They must be converted into (or kept as) integers then subtracted.

index=web sourcetype=my_source 
| streamstats global=f current=f window=2 range(timestamp) as duration 
| eval timestamp = strptime(timestamp, "%Y-%m-%dT%H:%M:%S.%N") 
| table _time, timestamp, duration

Subtract dates into a number using Splunk

There are 1 best solutions below

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Trending Questions

Popular # Hahtags

Popular Questions