topic Re: Need help with adding if condition between time in Splunk Search

Need help with adding if condition between time

srinivasgowda — Fri, 26 Mar 2021 11:24:34 GMT

Hello all,

blacklist blackout_end blackout_start
1 1616756907 1616756427
1 1616756907 1616756427

I am trying to add the value for blacklist, where if the _time > blackout_start AND < blackout_end then blacklist=1 else 0.

Please help in getting the right answer.

Thanks.

rnowitzki — Fri, 26 Mar 2021 12:01:25 GMT

Hi @srinivasgowda ,

Try this

| eval blacklist=if(_time > blackout_start AND _time < blackout_end,1,0)

Hope it works for you.
BR
Ralph

aasabatini — Fri, 26 Mar 2021 12:03:54 GMT

first you need to convert your timestamp in epoch

| eval epoch=strftime(_time, "%s")

after this you can create your if condition, below you find the eval convertion and eval condition

| eval epoch=strftime(_time, "%s") | eval blacklist=if(blacklist_start > epoch AND epoch < blacklist_end,"1","0")

would be nice if you confirm the solution

Regards

rnowitzki — Fri, 26 Mar 2021 12:25:32 GMT

_time is stored as epoch internally and you can use it like that.
No need to convert it prior to the conditional eval.

aasabatini — Fri, 26 Mar 2021 12:29:29 GMT

epoch is stored on _time field but to works need convertions or blacklist_start/end field or time.

Regards

rnowitzki — Fri, 26 Mar 2021 12:36:59 GMT

Nope, you can use it as-is.

Doesn't really matter in this case, but I wanted to be sure I don't tell BS and tested it (again) 🙂 :

BR
Ralph