Splunk Search

Field _time should be less than a week

d12harshal
Path Finder

Dear Splunkers,
My search results contain fields Name, Time as Test1, Test2, Test3, Test4 and 1375351200.000, 1417863600.000, 1375351200.000, 1375351200.000

My Requirement: I trying to convert time to human readable standard format, and also final report must only contain a report with time(date) less than a week. Adding of extra fields also not a problem.

Could any please help me out. Thanks in advance.

Regards,
Harshal

0 Karma

amit_saxena
Communicator

Hi,

I am not sure why "mktime" instead "ctime" was used here.

I would suggest the following search command.

... | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Time) as NewTime | where now() - Time < 604800

Let me know if it works for you.

EDIT: Just realized that earliest will work for "_time" field only which is not the time field for your case. So modified the search query to use "now". However the newer search might not work in all cases. The number 604800 is equal to number of seconds in a week.

Regards,
Amit Saxena

0 Karma

d12harshal
Path Finder

Sorry it was a long time, but in my case it is not possible with ctime.

0 Karma

jgedeon120
Contributor

Add the following and then add the field time to your table.
| convert ctime(_time) as time

Then set your search range for past seven days or specify the time range in the time range picker.

0 Karma

d12harshal
Path Finder

Its custom time, so not possible to set the time range. Following search worked for me.

... | convert timeformat="%m/%e/%Y %I:%M:%S %p" mktime(Time) AS Time_epoch mktime(now) AS now_epoch | eval age=round((Time_epoch-now_epoch)/60/60/24)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...