Timestamp Subtraction

Prateek_Kshtriya · March 14, 2016, 6:26am

Hi All ,

Please suggest me if it is possible to subtract two time stamp in kibana.

The log file contains the time stamp for generation of below ID's:-
Conversation ID ---> Conversation State ID (there are different state ID's getting generated for each conversation ID)

Target:- Subtract the time stamp for Conversation state ID's (Corresponding to Conversation ID) to get time for each state.

31C4B11B8A10003A6A59080 01B6BDA3A71A4F3C46DDDA1E1526 Processing 12:23:46AM 2016-02-25 12:23:46AM
31C4B11B8A10003A6A59080 11841B555FAA4DF0C089603ABB5F New NULL 12:19:38AM 2016-02-25 12:19:38AM
31C4B11B8A10003A6A59080 DC18DCA779DE43FCCF75A6448AB3 ReadyForProcessing 12:19:38AM 2016-02-25 12:20:38AM
31C4B11B8A10003A6A59080 B5A8EA30801D42DAE348AB59A7EB Failure NULL 12:11:57AM 2016-02-25 12:24:57AM

Please help.

Thank you.

tbragin · March 25, 2016, 1:02am

Kibana scripted fields would be the way to go here, but they are based on Lucene Expressions language, which currently does do date math directly, it only deals with numbers. Here is the documentation:
https://www.elastic.co/guide/en/elasticsearch/reference/2.2/modules-scripting.html#_lucene_expressions_scripts

As you can see, you can do stuff like get the years and substract that, but that may not be what you ultimately need.