topic Re: Using eval to create date in epoch time in Splunk Search

Using eval to create date in epoch time

hcannon — Fri, 22 Dec 2017 16:11:58 GMT

I need to create a field today that is equal to the epoch timestamp in milliseconds for midnight yesterday. I've been successful in using eval for this, but splunk is adding ".000" to the end of the field value and I can't for the life of me figure out why or how to remove .000, so that the value can be passed to a dbxquery formatted in milliseconds.

I've tried using rex mode=sed field=today "s/.000//", then attempted to convert the value to a string first, before sending to rex/sed.
The .000 persists.

...| eval today=(relative_time(now(),"-1d@d")*1000) | top today

search result:
today=1513832400000.000

Re: Using eval to create date in epoch time

somesoni2 — Fri, 22 Dec 2017 16:46:58 GMT

Try this

..| eval today=round(relative_time(now(),"-1d@d")*1000) | top today

Re: Using eval to create date in epoch time

micahkemp — Fri, 22 Dec 2017 16:47:15 GMT

Try

eval today=round(relative_time(now(), “-1d@d”) * 1000, 0)

Re: Using eval to create date in epoch time

hcannon — Fri, 22 Dec 2017 16:50:51 GMT

this did the trick, thank you!!