topic Re: How to compare CutoffTime with current time in Splunk Search

How to compare CutoffTime with current time?

pradeepkm — Wed, 23 Mar 2022 04:16:23 GMT

I have created a lookup table with filename and cutofftime within which we have to receive the file. I have to compare Cutofftime to check if its falling within 30 mins of current time and retrieve that particular file name from lookup and search for it. Please help me with query

Re: How to compare CutoffTime with current time

somesoni2 — Tue, 22 Mar 2022 18:05:34 GMT

Assuming your lookup field for cutofftime has epoch value, you can retrieve the filename based on your condition like this:

| inputlookup yourLookupName.csv | table filename cutofftime | where abs(cutofftime-now())<=1800 | table filename

If it's in some specific string timestamp format, replace "abs(cutofftime-now())" with "abs(strptime(cutofftime,"Your Time Format")-now()". Find your Timeformat here.

Once you finalize your above query, your search data for your retrieved file like this:

index=YourIndex sourcetype=YourSourcetype [| your finalized query | which will give filename. your may have to rename field 'filename' to field name that your index/sourcetype has]

Re: How to compare CutoffTime with current time

pradeepkm — Tue, 22 Mar 2022 18:51:51 GMT

I was able to figure out working query.Yes I have used similar logic mentioned by you.Thanks for the response.