this is my search:
| makeresults count=2 |
eval start=relative_time(now(),"@d") |
eval start_string=strftime(start,"%Y-%m-%d") |
eval end=strptime("1 jan 2017","%d %b %Y") |
eval end_string=strftime(end,"%Y-%m-%d") |
eval start_minus_end=end-start/1400
give s me the following:
_time end end_string start start_minus_end start_string
1 2016-04-20 10:13:02 1483182000.000000 2017-01-01 1461067200.000000 1482138380.571429 2016-04-20
2 2016-04-20 10:13:02 1483182000.000000 2017-01-01 1461067200.000000 1482138380.571429 2016-04-20
How do I work out how many days are between start_string
and end_string
?
I have tried to do this with eval start_minus_end=end-start/1400
but i am not sure what value start_string
is? is it milliseconds?
As an aside I would then like to store this value in a variable that I can somehow use in the predict
function and assign it to future_timespan
e.g. predict kpi1 as kpi1 future_timespan=<VARIABLE> holdback=1
Splunk also has a tostring function that allows you to, among other things, convert seconds to a duration. The result is in the format of days+HH:MM:SS
| eval duration = tostring(end - start,"duration")
So in your case the result for today is 257+01:00:00.000000