I need to create a field today
that is equal to the epoch timestamp in milliseconds for midnight yesterday. I've been successful in using eval for this, but splunk is adding ".000" to the end of the field value and I can't for the life of me figure out why or how to remove .000, so that the value can be passed to a dbxquery formatted in milliseconds.
I've tried using rex mode=sed field=today "s/.000//"
, then attempted to convert the value to a string first, before sending to rex/sed.
The .000 persists.
...| eval today=(relative_time(now(),"-1d@d")*1000) | top today
search result:
today=1513832400000.000
Try this
..| eval today=round(relative_time(now(),"-1d@d")*1000) | top today
Try
eval today=round(relative_time(now(), “-1d@d”) * 1000, 0)
Try this
..| eval today=round(relative_time(now(),"-1d@d")*1000) | top today
this did the trick, thank you!!