Splunk Search

How to use time modifiers on non event time fields?

splunked38
Communicator

Hi All,

I have a sourcetype with the following:

_time, host, contacttime
eg:
2015-07-14 02:01:02.353 ZEUS 2014-01-23 12:53:19

(before any one asks, _time is when the event was 'imported', long story)

I'd like to:
1. be able to use time modifiers on contacttime
2. as an example, with the time modifiers be able to filter out any events that have a contacttime>3 months

Any assistance would be greatly appreciated.

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

If you really need to use time modifiers, you can do this:

... | eval _time=contacttime | <your search with modifiers here>

However you can work with contacttime directly like this:

| eval contactepoch=strptime(contacttime, "%Y-%m-%d %H:%M:%S") | where contactepoch<(now()-3*31*24*60*60)

View solution in original post

woodcock
Esteemed Legend

If you really need to use time modifiers, you can do this:

... | eval _time=contacttime | <your search with modifiers here>

However you can work with contacttime directly like this:

| eval contactepoch=strptime(contacttime, "%Y-%m-%d %H:%M:%S") | where contactepoch<(now()-3*31*24*60*60)

splunked38
Communicator

Thanks for the prompt response.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...