Splunk query substract time

0
votes

I have a Splunk search query like this:

...earlier query.....
| eval sTime=mvindex(sTime,1), eTime=mvindex(eTime,1), 
TotalTime = strptime(sTime, "%Y-%m-%dT%H:%M:%S%z") - strptime(eTime, "%Y-%m-%dT%H:%M:%S%z") 
| table sTime eTime TotalTime

I have start and ebdtime like this in my log:

sTime:2018-03-14T19:18:10.851

eTime:2018-03-14T19:19:20.667

I am getting Totaltime is empty i.e. no values. What is the wrong in this query? Was following Splunk forum here: Link.

1
splunksplunk-query

1 Answers

1
votes

There are two problems with your query.

  1. You should subtract sTime from eTime (IOW, eTime should be first).
  2. The time format in your log doesn't match the format in the strptime calls. Try strptime(sTime, "%Y-%m-%dT%H:%M:%S.%3N").