Archive

How to eval time from timepicker and use it in search?

Path Finder

I need to eval time in hours between now and earliest time from timepicker to use it in search.
e.g. if timepicker set to “last 24 hours” - evaluated time should be 24h, for “last 2 days” - 48h, etc. Thank you!

Tags (1)
0 Karma

Esteemed Legend

Like this:

... | addinfo | eval hours_between_now_and_earliest = round(((now() - info_min_time) / 60 / 60), 2) | fields - info_*
0 Karma

Path Finder

Thanks! Can you explain what this part is doing "| fields - info_*"?

0 Karma

Esteemed Legend

There was a typo; I was using earliest when I should have been using info_min_time. I edited my answer and fixed it.

0 Karma

Esteemed Legend

It is getting rid of the info_* fields that were added by the call to addinfo.

0 Karma

SplunkTrust
SplunkTrust

@kimberlytrayson

You can try addinfo command.

info_min_time = The earliest time boundary for the search.
info_max_time = The latest time boundary for the search.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/addinfo

0 Karma

Path Finder

Sorry, it will be epoch time, right?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!