https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441027#M125326 <P>Hi All,</P> <P>Could you please help me here in confirming what would be the output of the below eval command?</P> <P>"eval age = (now() - _time )"</P> <P>Would the output be in minutes or seconds?</P> <P>Thanks in advance,</P> Fri, 31 Aug 2018 16:21:17 GMT bishtk 2018-08-31T16:21:17Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441027#M125326 <P>Hi All,</P> <P>Could you please help me here in confirming what would be the output of the below eval command?</P> <P>"eval age = (now() - _time )"</P> <P>Would the output be in minutes or seconds?</P> <P>Thanks in advance,</P> Fri, 31 Aug 2018 16:21:17 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441027#M125326 bishtk 2018-08-31T16:21:17Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441028#M125327 <P>@kundanbisht,</P> <P>You will get a difference in second.</P> <PRE><CODE>| makeresults | eval age=now()-_time </CODE></PRE> <P>Thanks</P> Fri, 31 Aug 2018 16:42:14 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441028#M125327 kamlesh_vaghela 2018-08-31T16:42:14Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441029#M125328 <P>Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?</P> <P>_time age<BR /> 2018-08-31 12:52:29 0</P> Fri, 31 Aug 2018 16:55:03 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441029#M125328 bishtk 2018-08-31T16:55:03Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441030#M125329 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5713i4C34BDE2743D45F7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Fri, 31 Aug 2018 16:55:52 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441030#M125329 bishtk 2018-08-31T16:55:52Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441031#M125330 <P>@kundanbisht,</P> <P>Let me tell you what exactly happens here.</P> <PRE><CODE>eval age = (now() - _time ) </CODE></PRE> <P>now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.<BR /> _time is your splunk indexing time (data eg=2018-09-01 07:26:09)<BR /> your trying to minus epoc time from datetime format it's possible . <BR /> please find the sample example below. If your now and _time is same you will get zero at age field..</P> <PRE><CODE>| makeresults | eval epoctime=now()+1800 | eval age = epoctime-_time | eval age1 = now()-_time | eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S") | eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0) | table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1 </CODE></PRE> <P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ...</P> Sat, 01 Sep 2018 06:22:01 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441031#M125330 Shan 2018-09-01T06:22:01Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441032#M125331 <P>@kundanbisht,<BR /> My given search is just an example.</P> <P>Please try below for your data</P> <PRE><CODE>index=your_index | eval age=now()-_time </CODE></PRE> Sat, 01 Sep 2018 13:29:41 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441032#M125331 kamlesh_vaghela 2018-09-01T13:29:41Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441033#M125332 <P>Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 03 Sep 2018 07:49:33 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441033#M125332 bishtk 2018-09-03T07:49:33Z https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441034#M125333 <P>@kundanbisht,</P> <P>Do you got your expected answers from above points ..</P> Tue, 04 Sep 2018 05:34:06 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-output-of-the-following-eval-and-now-function-query/m-p/441034#M125333 Shan 2018-09-04T05:34:06Z