Splunk Search

Assign earliest and latest _time to some other timestamp column

splunk_hvijay
Explorer

I want to take the earliest and latest _time and assign to some other timestamp column. For example, I have a timestamp column Transaction Date which is NOT _time and I want to use this in the search command to achieve the below

Index = test | where Transaction_date => earliest and Transaction_date <= latest

Can you please help me.

Not sure what is epoch time and why to convert that. I have timestamp like "2016-08-05 12:00:00.0"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this

index=test | addinfo | eval Tdate=strptime(Transaction_date,"%Y-%m-%d %H:%M:%S.%1N") | where Tdate >= info_min_time AND Tdate <= info_max_time | ...

Epoch time is the Unix timestamp standard. It's the number of seconds since 1 Jan 1970 (IIRC). Converting dates to epoch (integer) form makes it vastly easier to compare and manipulate them.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...