topic Re: Make eval time minutes in Splunk Search

How to make eval time minutes?

troy44112 — Wed, 23 Mar 2022 04:51:29 GMT

What do I need to add to this search, to make this search | where Need >= 60min

| tstats max(_indextime) AS Late where earliest=-24h latest=now (index=bluff) by sourcetype | eval CurrentTime=now() | eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z") | table sourcetype, LastIngestionTime, CurrentTime, Need | rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

Re: Make eval time minutes

gcusello — Tue, 22 Mar 2022 16:05:39 GMT

Hi @troy44112,

did you tried something like this?

| tstats max(_indextime) AS Late where earliest=-24h latest=now (index=bluff) by sourcetype | eval CurrentTime=now() | eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z") | where Need>=3600 | table sourcetype, LastIngestionTime, CurrentTime, Need | rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

Ciao.

Giuseppe

Re: Make eval time minutes

troy44112 — Tue, 22 Mar 2022 16:11:41 GMT

@gcusello What does the 3600 represent?
I am trying to figure out the calculation.
ie: if I want to change it to 60min, 45min, 90min etc..

Re: Make eval time minutes

venky1544 — Tue, 22 Mar 2022 16:14:45 GMT

Hi @troy44112

in your query

| eval Need = CurrentTime - Late

since the subtraction is in epoch time format it would give the values in seconds

|eval need = (CurrentTime-late)/60 use something like this to convert it into minutes and then use the where clause need >=60

Hope this helps

Re: Make eval time minutes

gcusello — Tue, 22 Mar 2022 16:47:31 GMT

Hi @troy44112,

you asked the condition for 60 minutes: 3600 are the seconds in 60 minutes.

time differences are expressed in seconds, so you can find the number to use in the check.

Ciao.

Giuseppe

Re: Make eval time minutes

venky1544 — Wed, 23 Mar 2022 09:03:13 GMT

Hi @troy44112

if you think the solution can you please accept the solution whichever was relevant for your use case

karma points are appreciated

Re: Make eval time minutes

troy44112 — Wed, 23 Mar 2022 16:26:59 GMT

@gcusello @venky1544,

When I set the alert it runs off of "current time" search, so results are returned even though there isn't a delay. Would you happen to know how to change this search to if there is a delay of >60min. Rather than subtracting the current time from the last ingestion time?

Re: Make eval time minutes

gcusello — Wed, 23 Mar 2022 16:37:48 GMT

Hi @troy44112,

Hi did you tried to use a different earliest and latest?

| tstats max(_indextime) AS Late where earliest=-25h@h latest=-h@h (index=bluff) by sourcetype | eval CurrentTime=now() | eval Need = CurrentTime - Late, LastIngestionTime=strftime(Late,"%Y/%m/%d %H:%M:%S %Z"), CurrentTime =strftime(CurrentTime,"%Y/%m/%d %H:%M:%S %Z") | where Need>=3600 | table sourcetype, LastIngestionTime, CurrentTime, Need | rename LastIngestionTime as "Last", CurrentTime AS "Search time", Need AS "Latency in Minutes"

Ciao.

Giuseppe

Re: Make eval time minutes

troy44112 — Fri, 25 Mar 2022 12:47:12 GMT

@gcusello ,
It still isn't working. The alert subtracts from whenever the search is ran & the "late" variable, then outputs it as latency. Rather than alerting if there is a delay >60min.