Splunk Search

Grouping events by time range relative to the current time, using calculations with eval statements

jdbtee
Path Finder

Hi,

I want to groups event times in ranges relative to the current time. Currently this method does not work. The field I'm using is not the event time but a property of a log, so the event looks something like this:

logtime (taken as upload date), STR_TIME(1st detection date "2013-11-3"), prop1, prop2

my chart is: chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Code:

eval STR_TIME=strptime(detected_date, "%Y-%m-%d")
| eval AGE=case(STR_TIME <= time(-864000s), "10 Days",
STR_TIME > time(-864000s) AND STR_TIME < time(-2592000s), "10 to 30",
STR_TIME >= time(-2592000s) AND STR_TIME < time(-7776000s), "30 to 90",
STR_TIME >= time(-7776000s) AND STR_TIME < time(-15552000s), "90 to 180",
STR_TIME >= time(-15552000s), "180 Days Plus", "180 Days Plus" ) | chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Error:
Error in 'eval' command: The expression is malformed. Expected ).

I have also tried nested IF statements. I can't find any discussion of using maths within a "case" of "if" eval.

Also tried:
= (time()- seconds)

Are calculations like this possible?

Tags (3)
1 Solution

strive
Influencer

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

View solution in original post

strive
Influencer

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

jdbtee
Path Finder

So adding "| eval STR_TIME = (now()-STR_TIME)|" has allowed the relative calculation of events, where I had previously tried this within a single eval with the cases.

jdbtee
Path Finder

Hi Strive,

Your final edit has worked! Cheers

0 Karma

strive
Influencer

Check my edited answer

0 Karma

jdbtee
Path Finder

Hi Strive,

This has produced some output as a start (I have tried for quite a few hours :)), but all events are in "180 Days Plus" and no further cases seem to be met.

The other concern with this is that I want it relative to today, I'm not sure having literals will work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...