topic Re: How to edit timestamp to one day previously? in Splunk Search

How to edit timestamp to one day previously?

jackreeves — Tue, 15 May 2018 08:32:56 GMT

I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.

Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.

Thanks in advance.

Re: How to edit timestamp to one day previously?

mayurr98 — Tue, 15 May 2018 09:57:49 GMT

can you provide search query?

Re: How to edit timestamp to one day previously?

jackreeves — Tue, 15 May 2018 10:51:47 GMT

index=diags sourcetype=diags_assigned
| timechart span=1d dc(Call No) as "Assigned"

This will provide me with following data for previous 7 days:
15/05/2018
14/05/2018
13/05/2018
12/05/2018
11/05/2018
10/05/2018
09/05/2018

However really the data for the 15/05/2018 should be 14/05/2018 & 14/05/2018 should be 13/05/2018 and so on. Essentially changing _time to -1d@d

Re: How to edit timestamp to one day previously?

jackreeves — Tue, 29 Sep 2020 19:32:24 GMT

index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"

However the timestamp is always one day in the future (i.e. 15/05/2018 should really be 14/05/2018). This is because I am using a "Report Date" field in my data, when the events are always -1d@d behind.

Re: How to edit timestamp to one day previously?

niketn — Tue, 15 May 2018 11:02:07 GMT

@jackreeves, if your current Time picker selection is Today i.e. earliest=@d and latest=now, you should change it to

earliest=-1d@d and latest=-1d@s

Please try out and confirm!

Re: How to edit timestamp to one day previously?

jackreeves — Tue, 29 Sep 2020 19:32:26 GMT

@mayurr98 - bizarrely can't see your latest comment but it has worked a charm 🙂

Answer:
index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"
| rename _time as time
| eval time=strftime(time-86400,"%Y-%m-%d")

Thanks both for your help

Re: How to edit timestamp to one day previously?

mayurr98 — Tue, 15 May 2018 12:02:28 GMT

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

Re: How to edit timestamp to one day previously?

jackreeves — Tue, 29 Sep 2020 19:32:31 GMT

Works perfectly. How would this work using chart command? Where Date is following format "Y/m/d" & is not the timestamp?

Search:
index=diags sourcetype=diags_closed_gdc
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Thanks,
Jack

Re: How to edit timestamp to one day previously?

mayurr98 — Tue, 15 May 2018 12:17:59 GMT

Try this

index=diags sourcetype=diags_closed_gdc 
| eval Date=strftime(strptime(Date,"%Y/%m/%d")-86400,"%Y/%m/%d") 
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Re: How to edit timestamp to one day previously?

jackreeves — Tue, 15 May 2018 13:48:14 GMT

Again that has worked perfectly!

Thank you so much for your help.