topic Re: Comparing field values(time) with Real Time and display the result in Splunk Search

Comparing field values(time) with Real Time and display the result

nnimbe — Thu, 06 Apr 2017 08:14:58 GMT

Hi,

One of the field value in splunk is 12/28/2016 15:13:10, i just wanted to compare with realtime and display the results if the value of that field is greater than 24 hours(last 1 day), please let me know how to acheive the same

example:time=12/28/2016 15:13:10, if it is >24hrs(last 1 day) with realtime then display the result

Re: Comparing field values(time) with Real Time and display the result

niketn — Thu, 06 Apr 2017 09:29:40 GMT

@nnimbe...Based on whether your time field is string time or epoch time you would require first eval to convert to epoch time or else not require the first eval with strptime:

<YourBaseSearch>
| eval time=strptime(time,"%m/%d/%Y %H:%M:%S")
| eval duration=(now()-time)/60
| search duration>24

Following is run anywhere example:

| makeresults
| eval time="12/28/2016 15:13:10"
| eval time=strptime(time,"%m/%d/%Y %H:%M:%S")
| eval duration=(now()-time)/60
| search duration>24

You should also explain the scenario to provide some context around your question. The query will perform better if you can perform query filter based on date upfront rather than later.

Re: Comparing field values(time) with Real Time and display the result

nnimbe — Thu, 06 Apr 2017 12:36:27 GMT

Thanks @niketnilay , it worked, meanwhile one more query

I am just using metadata command to check the number of hosts and sourcetype, if any new host or sourcetype is added to splunk i want to get alert, how to achieve this using search command (without uploading the csv file and comparing that...i am not looking for this option)