topic Re: Field _time modification based on _time condition .... in Splunk Search

Field _time modification based on _time condition ....

pioootrek — Wed, 19 Jul 2023 12:11:37 GMT

Hello,

I need to modify _time value based on ... _time value.

If:

1) original _time is before working hours, than set new _time to working hour start, like:

org _time after 00:00 before 9:00 then set new _time to 9:00

2) original_time is within working hour, leave it

3) original _time is after working hours, that modify it to next day working hour start, like

org _time is after 16:00 and before 24:00, then set new _time to 9:00 of next day

Anyone has an idea?

Regards

Re: Field _time modification based on _time condition ....

isoutamo — Wed, 19 Jul 2023 12:19:44 GMT

Could you open what it your issue which you are trying to solve with this _time change?

Are you trying to modify _time on search time or even in index time?

r. Ismo

Re: Field _time modification based on _time condition ....

ITWhisperer — Wed, 19 Jul 2023 12:53:41 GMT

Try something like this

| eval _time=case(tonumber(strftime(_time,"%H")) < 9, relative_time(_time, "@d+9h"), tonumber(strftime(_time,"%H")) > 16, relative_time(_time, "@d+16h"), 1==1, _time)