Solved: How to use time modifiers on non event time fields...

splunked38 · ‎07-14-2015

Hi All,

I have a sourcetype with the following:

_time, host, contacttime
eg:
2015-07-14 02:01:02.353 ZEUS 2014-01-23 12:53:19

(before any one asks, _time is when the event was 'imported', long story)

I'd like to:
1. be able to use time modifiers on contacttime
2. as an example, with the time modifiers be able to filter out any events that have a contacttime>3 months

Any assistance would be greatly appreciated.

woodcock · ‎07-14-2015

If you really need to use time modifiers, you can do this:

... | eval _time=contacttime | <your search with modifiers here>

However you can work with contacttime directly like this:

| eval contactepoch=strptime(contacttime, "%Y-%m-%d %H:%M:%S") | where contactepoch<(now()-3*31*24*60*60)

View solution in original post

woodcock · ‎07-14-2015

If you really need to use time modifiers, you can do this:

... | eval _time=contacttime | <your search with modifiers here>

However you can work with contacttime directly like this:

| eval contactepoch=strptime(contacttime, "%Y-%m-%d %H:%M:%S") | where contactepoch<(now()-3*31*24*60*60)

splunked38 · ‎07-20-2015

Thanks for the prompt response.

How to use time modifiers on non event time fields?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life