Hi,
I have the below query to compare the date I am extracting from logs with the current date:
(sourcetype="XYZ") OR (sourcetype="ABC")
| rex "\|Some String\|\w+\|(?<Field1>[AEU]\d{9})\|"
| rex "(?P<Date>\d+\/\d+\/\d+\|\d+:\d+:\d+.\d+[^\|]+)"
| eval DatetimeEpoch=strptime(Date,"%Y/%m/%d %H:%M:%S")
| eval epoch30minsago=relative_time(now(), "-30m@m" )
| stats first(sourcetype) as last_sourcetype first(Date) by Field1
| search last_sourcetype="XYZ"
| where DatetimeEpoch>=epoch30minsago
I want to print out the values of Field1 if the field "Date" is 30 mins behind the current time.
The format of the filed "Date" is below:
2013/12/12|07:01:01.311
2013/12/12|07:20:17.464
2013/12/12|07:23:52.217
2013/12/12|07:24:52.480
2013/12/12|07:25:42.285
2013/12/12|07:25:49.494
2013/12/12|07:26:24.669
Please let me know how can I compare this with the current time/date. My query above is not working probably because the field "Date" is in string format and splunk is not able to convert it to epoch?
Your strptime()
format doesn't match the Date field. Try "%Y/%m/%d %H:%M:%S.%3Q"
. Also the where clause should read 'where DatetimeEpoch <= epoch30minsago'
to select events at least 30 minutes behind the current time.
Also: have you seen the Timewrap app?
Look, is this "Date" field in your events the same timestamp information that Splunk uses for indexing purposes? If so, then that information is already available in the _time
field, so you don't have to extract it again with rex
.
Check it with;
your search for events | head 3 | table _time, Date
Do the timestamps match?