Hi,
Can we convert splunk specific time to epoc time ?
For example:
-4h@h
I am using a search query in which one token have value like this causing failure of that query.
Query :
working fine : eventtype=mlc | eval _time = 3423423423 + relative_time
Not working : eventtype=mlc | eval _time = -4h@h + relative_time
Thanks
Try like this
eventtype=mlc | eval _time = if(len(replace("$yourtoken$","\d",""))=0,$yourtoken$,relative_time(now(),"$yourtoken$")) + relative_time
Basically checking if the token value is all numbers (not relative time modifier) then use the token value OR use the relative time modifier value instead.
You use the relative_time()
function and the now()
function.
Try like this
eventtype=mlc | eval _time = if(len(replace("$yourtoken$","\d",""))=0,$yourtoken$,relative_time(now(),"$yourtoken$")) + relative_time
Basically checking if the token value is all numbers (not relative time modifier) then use the token value OR use the relative time modifier value instead.
Thank you @somesoni2. it helped me to fix the problem.
the below one worked fine.
eventtype=mlc | eval start_time = if(len(replace("$time_token.earliest$","\d",""))=0,"$time_token.earliest$",0) | eval _time = start_time + relative_time