Search to show me events that have timestamps out ...

robnewman666 · ‎03-08-2021

Hello,

I have the following search but I want it to show me the delay less and more out by more than 1 hour in a better way:

ITWhisperer · ‎03-08-2021

| eval hourdelay=if(delay>3600,"more than 1 hour", "less than 1 hour")

richgalloway · ‎03-08-2021

Better how?

The current query converts the delay time from seconds to minutes and then filters out anything less than 3600 minutes (2.5 days).

---
If this reply helps you, Karma would be appreciated.

scelikok · ‎03-08-2021

Hi @robnewman666,

You can use tstats version

| tstats count where index=av by _indextime _time
| eval delay=abs(_indextime-_time)
| where delay > 3600
| eval index_time=_indextime
| convert ctime(index_time)
| table _time index_time delay

which will run much faster;

If this reply helps you an upvote and "Accept as Solution" is appreciated.

robnewman666 · ‎03-08-2021

Thanks, this does look better, so will try tomorrow. Thanks @scelikok! 🙂

Search to show me events that have timestamps out by a lot

eval

other

table

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...