Sometimes you need to parse timestamps from logs (because you don’t have a splunk account) and you can use Python’s datetime module to do that. The trick is feeding the
datetime.datetime.strptime() function the correct format string or you get a weird
ValueError: unconverted data remains error message.
Suppose you have been using the vanilla Python logging module, and you have extracted some timestamps, then we can do the following,
import datetime # timestamps from logging module t0 = "2015-08-12 14:11:15,576" t1 = "2015-08-12 14:11:15,613" # formatting string fmt = "%Y-%m-%d %H:%M:%S,%f" # datetime objects d0 = datetime.datetime.strptime( t0, fmt ) d1 = datetime.datetime.strptime( t1, fmt ) # subtraction works and produces a difference dt = d1 - d0 # return the difference in seconds sec = dt.total_seconds() # <-- 0.037
Like cryptography, you should never roll your own date/time functionality. You might think of all the edge cases, like timezones and daylight savings, but this is easier, and it’s easy to change your format string when (not if) your input data source decides to change.