Compare time of the output of the query

Anshumaan12 · ‎07-29-2016

Hi All

I am trying to compare the result of the query.

In am getting this result from my query
Hostname date time
1. 17/07/2016 12:32:00
2. 22/07/2016 10:32:00
3. 12/07/2016 18:32:00
4. 18/07/2016 11:32:00
5. 02/07/2016 02:32:00

I want data based on time
Like datatime greater than last 2 hours
Date time greater than 10 hours
Earliest and latest are not working for me correctly so I want to compare time.

sundareshr · ‎07-29-2016

Try this

... | eval dtm=strptime(datetime, "%d/%m/%Y %H:%M:%S")  | eval range=case(dtm>=relative_time(now(), "-2h"), "last 2hrs", dtm>=relative_time(now(), "-10h") AND dtm<relative_time(now(), "-2h"), "last 10hrs", 1=1, "Error time format") | chart count over host by range

Richfez · ‎07-29-2016

Could you provide the search you are running and a couple of the underlying raw events?

Richfez · ‎07-29-2016

Is this being read from a CSV file? There are many options at ingest time to set the timestamp qualities so this data becomes time-sequenced properly. Have you investigated those? The GUI for adding new data has a whole section on making sure your timestamps are right...

Anshumaan12 · ‎07-29-2016

No . I am just running a query and getting that output as a dashboard.

Compare time of the output of the query

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!