Archive
Highlighted

time difference of events

Explorer

eval testtime = time() - _time | search (testtime > 1800 AND test_time < 86400)|

I'm trying to see if the events in my logs(when i run query should be more than 30 mins & less than 24 hrs old) from the time they logged?

is the condition right?

Tags (1)
0 Karma
Highlighted

Re: time difference of events

Influencer

You can use the time picker or mention earliest and latest as below in your search


earliest=-24h latest=-30m

Highlighted

Re: time difference of events

SplunkTrust
SplunkTrust

gpradeepkumarreddy's answer is probably the most useful way to do that.

If you wanted to do it in code, your code is close to correct as far as it goes, since epoch time is calculated in seconds. However, you probably want to use the now() function rather than time(), since it will give a single result for the entire search, as opposed to being calculated at a different microsecond for each event.

0 Karma