topic Time matching w/ a +/- 5 min window in Splunk Search

Time matching w/ a +/- 5 min window

cquinney — Wed, 09 Sep 2020 17:46:08 GMT

Greetings Splunkers,

I have a lookup file that has a list of set jobs with a frequency timestamp (e.g. Mon-Fri @ 3:30) of when the job should be seen within Splunk. I'm wanting to create an eval that will allow me to match the index time of an event/job with its frequency timestamp.

The dilemma I'm having is incorporating a +/- 5 min time span into the matching criteria. Any assistance in figuring this out would be greatly appreciated.

Re: Time matching w/ a +/- 5 min window

richgalloway — Wed, 09 Sep 2020 18:04:08 GMT

The +/- 5 minute bit is easy - just add or subtract 300 seconds from the computed timestamp. IMO, the hard part is converting "Mon-Fri @ 3:30" into a timestamp.

Re: Time matching w/ a +/- 5 min window

cquinney — Thu, 10 Sep 2020 01:57:19 GMT

Hi @richgalloway ,

Can you possibly provide an example of how you'd incorporate your suggestion into the eval? Thank you.

Re: Time matching w/ a +/- 5 min window

richgalloway — Thu, 10 Sep 2020 12:41:15 GMT

| eval start=computedTime - 300, end=computedTime + 300

Re: Time matching w/ a +/- 5 min window

cquinney — Thu, 10 Sep 2020 15:59:43 GMT

Hi @richgalloway

Thank you for the advice, I ended up incorporating your suggestion into my query as such:

| eval TimeMatch=if(((_time >= _time-300 OR _time <= _time+300) AND _time=ExptectedTime), "Match", "No Match")

This gave me the results I was hoping for. Thank you again!