Splunk Search

What's the output of the following eval and now() function query?

bishtk
Communicator

Hi All,

Could you please help me here in confirming what would be the output of the below eval command?

"eval age = (now() - _time )"

Would the output be in minutes or seconds?

Thanks in advance,

0 Karma

Shan
Builder

@kundanbisht,

Let me tell you what exactly happens here.

eval age = (now() - _time )

now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.
_time is your splunk indexing time (data eg=2018-09-01 07:26:09)
your trying to minus epoc time from datetime format it's possible .
please find the sample example below. If your now and _time is same you will get zero at age field..

| makeresults
 | eval epoctime=now()+1800
 | eval age = epoctime-_time
 | eval age1 = now()-_time
 | eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S")
 | eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0)
 | table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1 

Thanks 🙂 ...

0 Karma

Shan
Builder

@kundanbisht,

Do you got your expected answers from above points ..

0 Karma

bishtk
Communicator

alt text

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kundanbisht,

You will get a difference in second.

| makeresults  | eval age=now()-_time

Thanks

0 Karma

bishtk
Communicator

Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?

_time age
2018-08-31 12:52:29 0

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@kundanbisht,
My given search is just an example.

Please try below for your data

index=your_index | eval age=now()-_time 
0 Karma

bishtk
Communicator

Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...