I have two values in my events: "OccuredOn" (ignore the spelling...) and "EndTime". Quite simply, I want the difference between these two values. I've converted them to a date time format and simply subtracted one from the other, see below:
generic search....
| eval EndTimeTime = strptime(EndTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval OccurredOnTime = strptime(OccuredOn,"%Y-%m-%dT%H:%M:%S.%3Q")
| eval ResponseTime = EndTimeTime-OccurredOnTime
| eval ResponseTimeString = strftime(ResponseTime, "%d %H:%M:%S.%3Q")
| eval HourOccurred = strftime(OccurredOnTime,"%Y-%m-%d %H")
| table EndTime, EndTimeTime, OccuredOn, OccurredOnTime, ResponseTimeString
If I format these times just as Hour, Minute, Second, Microseconds, then it works fine. The hours, minutes and seconds are all correct. However, when I use a day, it incorrectly says there is a day's difference.
E.g. for the following record, I would expect the ResponseTimeString to be around 2 hours 17 minutes, as you can see it looks correct apart from the day. Why does it think there is a day difference?
EndTime - OccurredOnTime - ResponseTimeString
2016-01-31 23:28:07.991000 - 2016-01-31T21:10:09.45 - 01 02:17:58.541
I could always just omit the day value, but I'd rather leave it on for the unlikely event where I have a request which runs over an entire day, all other requests should look something like: 0 days, 04:10:11.12412
What is wrong here?
... View more