Minutes between most recent event date and now

aleem · ‎04-18-2012

I have a field called fldTimeStamp which I use to hold the date in which events were raised rather than what date I imported them in to Splunk. This works great. However, I need to know if the most recent fldTimeStamp is more than 20 minutes old.
I can use "head 1 | fields timestamp fldTimeStamp | eval fldNow = time() | convert ctime(fldNow)" to get the current time. However, I am struggling to subtract fldTimeStamp from now (fldNow).

Presumably, I need to do some evals and converts.

Any ideas how to do this?

Be the best version of you

carmackd · ‎04-18-2012

you can use the convert command to turn your fldTimeStamp field into epoch time then subtract it from your now() eval. example

| convert timeformat="%Y %D" mktime(fldTimeStamp) AS epoch_fldTimeStamp | eval fldNow=now() | eval age=fldNow-epoch_fldTimeStamp | where age < 1800

NOTE: use this link to get the correct time directives for your timeformat

http://www.tutorialspoint.com/python/time_strptime.htm

kristian_kolb · ‎04-18-2012

What is the format of fldTimeStamp? epoch? YYYY-mm-dd HH:MM:SS?

It's quite easy to craft a search that will show the age of the most recent event.

/k

aleem · ‎04-18-2012

I really want to know if the latest event is less than 30 minutes old, so I guess I could simply use the following;

sourcetype="myhost" earliest=-30m | head 1

Zero results would mean that there are no events in the past 30 minutes.

Be the best version of you

Minutes between most recent event date and now

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!