Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

last time of user login needs to evaluate

deepak_dhankhar
Explorer
‎06-20-2017 03:34 AM

need to evaluate the duration of last time user logged in and time now.
problem I am facing is in lastTime I am getting values like "1473248264"

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 03:40 AM

Hi deepak.dhankhar,
value isin epoch time, to translate it in human readable format you have to convert it:

  • if you have a date use | eval new_value=strftime(your_value,"%Y-%m-%d.%H:%M:%S")
  • if you have a duration use | eval duration=tostring(your_value,"duration")

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎06-20-2017 03:51 AM

If you just want to change the time from epoch time to human readable string format, you should better use fieldformat which will format the data without changing the underlying data. For calculating the last login duration as compared to current time you can use now() function for getting current time and compare to lastTime (which is epoch time as per your question). 

 <Your Base Search>
| eval durationInSec=now()-lastTime
| fieldformat  lastTime=strftime(lastTime,"%c")

You can use your own time format specified, I have used %c as an example for convenience.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

deepak_dhankhar
Explorer
‎06-20-2017 04:12 AM

Thank you so much

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎06-20-2017 03:43 AM

Hi,

you need to use the command strftimeto convert this timeformat into a more human readable.

<yoursearch> | eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")
0 Karma
Reply
Solved! Jump to solution

deepak_dhankhar
Explorer
‎06-20-2017 03:54 AM

sorry, I think you didnt got my question correct i think. let me elobrate it for you.

lastTime is the field I am getting the user's last time login time
now with "eval LASTTIME=strftime(lastTime,"%d-%m-%Y %H:%M:%S")" I got this is in readable format,
Now I need is the difference between that time and now currrent time.

that will give me the user's has not logged in from that much time, hope I am clear now

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎06-20-2017 05:35 AM

Thanks for the clarification. 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 03:40 AM

Hi deepak.dhankhar,
value isin epoch time, to translate it in human readable format you have to convert it:

  • if you have a date use | eval new_value=strftime(your_value,"%Y-%m-%d.%H:%M:%S")
  • if you have a duration use | eval duration=tostring(your_value,"duration")

Bye.
Giuseppe

Reply
Solved! Jump to solution

deepak_dhankhar
Explorer
‎06-20-2017 03:47 AM

Got the last time in readable format, but still unable to compair it to current time

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-20-2017 04:23 AM

hi deepak.dhankhar,
to compair it to current time, you have to:

  • convert it in epochtime using strptime function in eval command,
  • compair to current time,
  • show as duration.

in other words something like this:

| eval your_time=strptime(your_time,"your_format"), duration=tostring(now()-your_time,"duration")

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...