Hello,
I currently am doing a search that uses a unix time as a field. What I want to do, is do something like this at search time:
source="mysource" my_unix_time < (unix_time(now)-6 Months)
Effectively, I want to say, keep only entries where this field's date time is greater than six months (not the actual time the data was logged, this specific field). I am converting the unix time to something readable with convert timeformat="%Y-%m-%d %H:%M:%S" ctime(my_unix_time) so I am not sure if date manipulation is easier after this or before.
Thanks for any help.
Kevin
If you are running 4.1 you can use the relative_time()
eval function, so your expression could be written:
source="mysource" | where my_unix_time < relative_time(time(), "-6mon") | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(my_unix_time)
Note that time()
is the wall-clock time, where as the now()
eval function is based on the time when the search was started (or was scheduled to start).
I'm assuming my_unix_time
is not equal to the event timestamp?
If you are running 4.1 you can use the relative_time()
eval function, so your expression could be written:
source="mysource" | where my_unix_time < relative_time(time(), "-6mon") | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(my_unix_time)
Note that time()
is the wall-clock time, where as the now()
eval function is based on the time when the search was started (or was scheduled to start).