Splunk Search

How to find the time difference in days between the _time of an event and the current time?

_gkollias
SplunkTrust
SplunkTrust

Hi All,

I might be over thinking this one, but since I've already used _time--> ...| stats earliest(_time) as first_seen, latest(_time) as last_seen, ... |, is it possible find the "current_time"?

What I want to do is do something like ..| eval days_since=(current_time-last_seen)

Is this possible?

Thanks!

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

View solution in original post

niketn
Legend

Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

martin_mueller
SplunkTrust
SplunkTrust

So... this?

... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")

Rithekakan
Path Finder

Thanks martin_mueller.

That also what I want.

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Thank you!

0 Karma

_gkollias
SplunkTrust
SplunkTrust

This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:

http://screencast.com/t/9yVnvtpl

I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:

| eval days_since_last_txn=case(days_since_last_txn=0,"Today",days_since_last_txn=1,"1 Day",days_since_last_txn>1, days_since_last_txn."[".Days."]")

This didn't work for me, but do you have any insight on rounding by number of days?

Thank you!

0 Karma

ppablo
Retired

Hi @_gkollias

Are you looking for something like this?

...| eval days_since=(now()-last_seen)

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...