topic Re: Can you help me with my query involving the eval command and strftime? in Splunk Search

Can you help me with my query involving the eval command and strftime?

tb5821 — Wed, 07 Nov 2018 02:21:47 GMT

| eval lastChange=strftime(time_of_last_change,"%m-%d-%y %I:%M:%S %p") 
| eval timenow=now()
| eval last1hr=strftime(relative_time(now(), "-1h@s"), "%m-%d-%y %I:%M:%S %p")
| eval timenow=strftime(now(),"%m-%d-%y %I:%M:%S %p")
| eval actualchange= prev_count-count 
| where prev_count != count
| dedup namespace 
| table namespace actualchange prev_count count timenow lastChange last1hr diff

for some reason I can't seem to diff last1hr and lastChange! — what am I doing wrong?

Re: Can you help me with my query involving the eval command and strftime?

tb5821 — Wed, 07 Nov 2018 02:31:30 GMT

even if I do | eval diff= last1hr-lastChange that diff field doesn't produce anything!

Re: Can you help me with my query involving the eval command and strftime?

tb5821 — Wed, 07 Nov 2018 02:38:58 GMT

tried | eval diff = lastChange - last1hr | eval dur = tostring(diff, "duration") too

Re: Can you help me with my query involving the eval command and strftime?

sduff_splunk — Wed, 07 Nov 2018 03:05:50 GMT

You are using strftime, which is converting your times into text strings, which you can't do maths operations on.

What format is time_of_last_change? Is it a unix timestamp? If so, you can calculate the difference by doing eval diff=relative_time(now(), "-1h@s") - time_of_last_change.

Otherwise, you most probably want to use the strptime command, which converts times in text format into a unix timestamp, which is seconds. From there, you can calculate the time difference.

Re: Can you help me with my query involving the eval command and strftime?

mstjohn_splunk — Wed, 07 Nov 2018 21:53:46 GMT

hi @tb5821

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

Re: Can you help me with my query involving the eval command and strftime?

hcanivel_splunk — Fri, 09 Nov 2018 01:28:56 GMT

Is time_of_last_change in epoch? As sduff has indicated, you're trying to diff string/text values. Not going to work.

Use strptime to convert the string into an integer in epoch.

You'll need to compare two different epoch values to make your tostring(<val>, "duration") usable here.

eval diff = tostring(relative_time(now(), "-1h") - time_of_last_change, "duration")