topic Re: How to subtract 30 minutes from now() using eval in Splunk Search

How to subtract 30 minutes from now() using eval

adoshi — Mon, 28 Sep 2020 12:05:07 GMT

I would like to know how to subtract 30 minutes from the call to the now() function and set the value of a field called StartTime

| eval StartTimeInSecondsSince12AM = SomeFunction(now() - 30) | eval EndTimeInSecondsSince12AM = SomeFunction(now())

From there I want to run a query like

earliest = -30d latest = -1d | where SecondsSince12AM(_time) >= StarTimeInSecondsSince12AM AND SecondsSince12AM(_time) <= EndTimeInSecondsSince12AM

Thank you.

Re: How to subtract 30 minutes from now() using eval

lguinn2 — Fri, 13 Jul 2012 16:41:30 GMT

It's actually very easy! You want:

| eval StartTimeInSecondsSince12AM = relative_time(now(),"-30m") | eval EndTimeInSecondsSince12AM = now()

now() is the time that the search started, in Linux epoch time.

Re: How to subtract 30 minutes from now() using eval

adoshi — Fri, 13 Jul 2012 17:08:27 GMT

If I do that, I think it would have the data and time included in the value. I just need the time part so that I can find the events that occurred in that time period for last 30 days. So how do I just extract the time part is the question.

Re: How to subtract 30 minutes from now() using eval

lguinn2 — Fri, 13 Jul 2012 18:15:17 GMT

So, you are looking for events that occurred at the same time of day, on different days? That's a different question...

Re: How to subtract 30 minutes from now() using eval

lguinn2 — Fri, 13 Jul 2012 18:21:15 GMT

If you are looking for events that occurred within a time of day, for a series of days, you will need a different approach.
I will use this example: I want to know how many events occurred between 14:00 and 14:30 for each of the last 30 days.
Here is how to do that:

searchcriteriahere earliest=-30d 
| eval eventHour=strftime(_time,"%H") | eval eventMin=strftime(_time,"%M")
| where eventHour=14 and eventMin<31
| bucket _time span=1d
| chart count by _time

And if the time needs to be based on "in the last 30 minutes" instead of a specific time:

searchcriteriahere earliest=-30d 
| eval eventHour=strftime(_time,"%H") | eval eventMin=strftime(_time,"%M")
| eval curHour==strftime(now(),"%H") | eval curMin=strftime(now(),"%M")
| where (eventHour=curHour and eventMin > curMin - 30) or 
    (curMin < 30 and eventHour=curHour-1 and eventMin>curMin+30)
| bucket _time span=1d
| chart count by _time

Re: How to subtract 30 minutes from now() using eval

adoshi — Fri, 13 Jul 2012 21:45:41 GMT

Thank you. This is exactly what I need. You are awesome.

Re: How to subtract 30 minutes from now() using eval

vhsg — Fri, 23 Sep 2016 18:27:20 GMT

Hi,

If not work, I can give a clue please 🙂

index=menu_ivr dnis=550621 | eval StartTime_7 = relative_time(now(),"-90000s@s") | eval EndTime_7 = relative_time(now(),"-86400s@s")| fields connectionID, _time, dnis, StartTime_7, EndTime_7 |eval StartTime_N=strftime(StartTime_7,"%Y-%m-%d %H:%M:%S") | eval EndTime_N=strftime(EndTime_7,"%Y-%m-%d %H:%M:%S") | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | fields StartTime_N, connectionID, dnis, EndTime_N, time | where time > StartTime_N AND time > EndTime_N

Re: How to subtract 30 minutes from now() using eval

vhsg — Fri, 23 Sep 2016 18:48:19 GMT

hello, but this also gives negative minutes this correct?