Splunk Search

How to create a report with a date determined by adding one month to the current _time and subtracting one day?

pinku_mano
New Member

HI Guys ,

Am quite new to Splunk.
Am trying to generate a report where it prints the current time from the _time field.
Then I want to add one month and subtract one day to get the new date for my report.

Can any one give me a hint or an example please?

Mano

Tags (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try relative_time().

... | eval futureTime=relative_time(relative_time(_time, "+1mon"), "-1d") | fieldformat futureTime=strftime(futureTime,"%Y-%m-%d %H:%M:%S") | ...
---
If this reply helps you, Karma would be appreciated.

sjbriggs
Path Finder

This was a good poar. I thought I had to subtract seconds in order to look at previous weeks. But i see now that doing this:
| eval futureTime=relative_time(_time, "-7d") | fieldformat futureTime=strftime(futureTime,"%Y-%m-%d %H:%M:%S")|

Gets me where I need to be as well AND looks a little cleaner. I found plenty of references to strftime but this is the first i've seen the "relative_time" command as well as the format for 7d, 1mon, etc in a query like that.

Thanks again 🙂

0 Karma

pinku_mano
New Member

Hi Thanks for the quick response . Much appreciate .

I tried something similar using eval function :
eval time =strftime (relative_time(_time, "+1mon"),"%Y%m%d %H:%M:%S")

if i add one month to " 31 May 2016 at 6:44:30 p.m." it gives me "20160701 18:44:30"

Where as it should be:" Thursday, 30 June 2016 at 6:44:30 p.m"

Can you please advise what am I doing wrong ?

Thanks in advance

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, the easy part. The difference between your current output and expected output is in the strftime format string. Try %A, %d %B %Y at %I:%M:%S %p.

As for the result of relative, I don't have the answer, but I do have a theory. It looks like relative_time(_time, +1mon) adds the number of days in the month specified in _time. So '31 May 16' jumps ahead 31 days to 1 July 16 because May is 31 days long, whereas '30 Apr 16' jumps ahead 30 days to '30 May 16' because April is only 30 days long. Regrettably, I don't have a good workaround for this.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pinku_mano
New Member

Thank you very much !!! . my formatting is all good .

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is solved then please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...