Field _time should be less than a week

d12harshal · ‎07-19-2013

Dear Splunkers,
My search results contain fields Name, Time as Test1, Test2, Test3, Test4 and 1375351200.000, 1417863600.000, 1375351200.000, 1375351200.000

My Requirement: I trying to convert time to human readable standard format, and also final report must only contain a report with time(date) less than a week. Adding of extra fields also not a problem.

Could any please help me out. Thanks in advance.

Regards,
Harshal

amit_saxena · ‎07-28-2013

Hi,

I am not sure why "mktime" instead "ctime" was used here.

I would suggest the following search command.

... | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Time) as NewTime | where now() - Time < 604800

Let me know if it works for you.

EDIT: Just realized that earliest will work for "_time" field only which is not the time field for your case. So modified the search query to use "now". However the newer search might not work in all cases. The number 604800 is equal to number of seconds in a week.

Regards,
Amit Saxena

d12harshal · ‎08-14-2013

Sorry it was a long time, but in my case it is not possible with ctime.

jgedeon120 · ‎07-19-2013

Add the following and then add the field time to your table.
| convert ctime(_time) as time

Then set your search range for past seven days or specify the time range in the time range picker.

d12harshal · ‎07-19-2013

Its custom time, so not possible to set the time range. Following search worked for me.

... | convert timeformat="%m/%e/%Y %I:%M:%S %p" mktime(Time) AS Time_epoch mktime(now) AS now_epoch | eval age=round((Time_epoch-now_epoch)/60/60/24)

Field _time should be less than a week

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...