Hi All,
Could you please help me here in confirming what would be the output of the below eval command?
"eval age = (now() - _time )"
Would the output be in minutes or seconds?
Thanks in advance,
@kundanbisht,
Let me tell you what exactly happens here.
eval age = (now() - _time )
now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.
_time is your splunk indexing time (data eg=2018-09-01 07:26:09)
your trying to minus epoc time from datetime format it's possible .
please find the sample example below. If your now and _time is same you will get zero at age field..
| makeresults
| eval epoctime=now()+1800
| eval age = epoctime-_time
| eval age1 = now()-_time
| eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S")
| eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0)
| table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1
Thanks 🙂 ...
@kundanbisht,
Do you got your expected answers from above points ..
@kundanbisht,
You will get a difference in second.
| makeresults | eval age=now()-_time
Thanks
Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?
_time age
2018-08-31 12:52:29 0
@kundanbisht,
My given search is just an example.
Please try below for your data
index=your_index | eval age=now()-_time
Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds 🙂