Archive

Eval Statement for today plus 7 days?

Builder

All,

Quick one I am stuck on. I want an EVAL statement that takes _indexedtime and adds 7 days to it and creates a field that is human readable.

EVAL-sevendaysfromnow = now() + 7d@d?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this:

For every event as per indextime

.. | eval time=strftime(_indextime+604800,"%Y-%m-%d %H:%M:%S")

with this you will get one value that will be always be now + 7 days

..| eval time=strftime(now()+604800,"%Y-%m-%d %H:%M:%S")

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this:

For every event as per indextime

.. | eval time=strftime(_indextime+604800,"%Y-%m-%d %H:%M:%S")

with this you will get one value that will be always be now + 7 days

..| eval time=strftime(now()+604800,"%Y-%m-%d %H:%M:%S")

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!