What's the output of the following eval and now() ...

bishtk · ‎08-31-2018

Hi All,

Could you please help me here in confirming what would be the output of the below eval command?

"eval age = (now() - _time )"

Would the output be in minutes or seconds?

Thanks in advance,

Shan · ‎08-31-2018

@kundanbisht,

Let me tell you what exactly happens here.

eval age = (now() - _time )

now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.
_time is your splunk indexing time (data eg=2018-09-01 07:26:09)
your trying to minus epoc time from datetime format it's possible .
please find the sample example below. If your now and _time is same you will get zero at age field..

| makeresults
 | eval epoctime=now()+1800
 | eval age = epoctime-_time
 | eval age1 = now()-_time
 | eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S")
 | eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0)
 | table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1

Thanks 🙂 ...

Shan · ‎09-03-2018

@kundanbisht,

Do you got your expected answers from above points ..

bishtk · ‎08-31-2018

kamlesh_vaghela · ‎08-31-2018

@kundanbisht,

You will get a difference in second.

| makeresults  | eval age=now()-_time

Thanks

bishtk · ‎08-31-2018

Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?

_time age
2018-08-31 12:52:29 0

kamlesh_vaghela · ‎09-01-2018

@kundanbisht,
My given search is just an example.

Please try below for your data

index=your_index | eval age=now()-_time

bishtk · ‎09-03-2018

Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds 🙂

What's the output of the following eval and now() function query?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes