https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647658#M224151 <P>The <FONT face="courier new,courier">now</FONT> function always returns the time the search started.&nbsp; There is no provision for doing otherwise.</P><P>To get the time for each event ("loop"), use the <FONT face="courier new,courier">time</FONT> function.</P> Tue, 20 Jun 2023 17:17:47 GMT richgalloway 2023-06-20T17:17:47Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647644#M224149 <P>It appears that using now() inside of the map command will always return the time that the map was started rather than the time for each loop. The below SPL shows an example of this. Does anyone have any thoughts on how to get the time for each iteration of the loop?</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| makeresults count=100 | map maxsearches=100 search="| makeresults count=1 | eval outer_time=$_time$ | eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\") | eval now=now()" | table outer_time_formatted outer_time _time now</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Jun 2023 01:29:43 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647644#M224149 fredclown 2023-06-22T01:29:43Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647657#M224150 <P>Do you need now()? Doesn't _time hold now?</P><LI-CODE lang="markup">| makeresults count=100 | map maxsearches=100 search="| makeresults count=1 | eval inner_time=_time"</LI-CODE> Tue, 20 Jun 2023 17:17:27 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647657#M224150 ITWhisperer 2023-06-20T17:17:27Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647658#M224151 <P>The <FONT face="courier new,courier">now</FONT> function always returns the time the search started.&nbsp; There is no provision for doing otherwise.</P><P>To get the time for each event ("loop"), use the <FONT face="courier new,courier">time</FONT> function.</P> Tue, 20 Jun 2023 17:17:47 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647658#M224151 richgalloway 2023-06-20T17:17:47Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647817#M224191 <P>I was using makeresults as a simplified example to show the behavior. My real SPL is using the rest command inside the map. There is no _time with results returned from | rest. I'm trying to get the time the rest command was started for each iteration of the loop. My hunch is this is not possible.</P> Wed, 21 Jun 2023 15:26:47 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647817#M224191 fredclown 2023-06-21T15:26:47Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647818#M224192 <P>The example I gave is a simplified one to show the behavior. My real SPL has the | rest command inside the map. The | rest command does not return _time. I am trying to figure out the time the rest command started for each iteration of the loop. My hunch is this isn't possible.</P> Wed, 21 Jun 2023 15:29:21 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647818#M224192 fredclown 2023-06-21T15:29:21Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647822#M224193 <P>My answer referred to the <FONT face="courier new,courier">time</FONT> function, not the _time field.&nbsp; You should be able to use <FONT face="courier new,courier">time()</FONT> to get the time of each <FONT face="courier new,courier">rest</FONT> call.</P> Wed, 21 Jun 2023 15:48:22 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647822#M224193 richgalloway 2023-06-21T15:48:22Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647824#M224194 <P>I am confused. &nbsp;As&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;pointed out, <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#time.28.29" target="_blank" rel="noopener">time()</A> is the correct function to use (in lieu of now()) inside a loop if you want to reveal the time of each iteration. &nbsp;Does this not work? &nbsp;It certainly works for me. (9.0.4)</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults count=100 | map maxsearches=100 search="| makeresults count=1 | eval outer_time=$_time$ | eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\") | eval now=time()" | table outer_time_formatted outer_time _time now</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV><DIV class="">&nbsp;</DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><TABLE><TBODY><TR><TD>outer_time_formatted</TD><TD>outer_time</TD><TD>_time</TD><TD>now</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.312381</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.404865</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.476129</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.546069</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.616955</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.690642</TD></TR><TR><TD>2023-06-21 08:44:16</TD><TD>1687362256</TD><TD>2023-06-21 08:44:16</TD><TD>1687362256.772683</TD></TR></TBODY></TABLE></DIV></DIV></DIV></DIV></DIV></DIV> Wed, 21 Jun 2023 15:50:29 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647824#M224194 yuanliu 2023-06-21T15:50:29Z https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647840#M224196 <P>Oh, goodness! I was not aware of the time() function. That's what I was looking for. Thanks.</P> Wed, 21 Jun 2023 18:39:04 GMT https://community.splunk.com/t5/Splunk-Search/Any-examples-of-using-now-inside-map-command/m-p/647840#M224196 fredclown 2023-06-21T18:39:04Z