Sometimes you need to parse timestamps from logs (because you don’t have a splunk account) and you can use Python’s datetime module to do that. The trick is feeding the datetime.datetime.strptime() function the correct format string or you get a weird ValueError: unconverted data remains error message.

Suppose you have been using the vanilla Python logging module, and you have extracted some timestamps, then we can do the following,

import datetime

# timestamps from logging module
t0 = "2015-08-12 14:11:15,576"
t1 = "2015-08-12 14:11:15,613"

# formatting string
fmt = "%Y-%m-%d %H:%M:%S,%f"

# datetime objects
d0 = datetime.datetime.strptime( t0, fmt )
d1 = datetime.datetime.strptime( t1, fmt )

# subtraction works and produces a difference
dt = d1 - d0

# return the difference in seconds
sec = dt.total_seconds() # <-- 0.037

Like cryptography, you should never roll your own date/time functionality. You might think of all the edge cases, like timezones and daylight savings, but this is easier, and it’s easy to change your format string when (not if) your input data source decides to change.