Dashboards & Visualizations

Can someone help me understand this search and how I can get the current May month time?

Keerthi
Path Finder

Hi, I am new to splunk and need to understand the below query and the results coming. 

| eval c_time=(strftime(latest,"%d"))
| eval c_time2 = c_time * 86400
| eval newdate=latest - c_time2
| where _time >=newdate



The results:

Keerthi_0-1683817136723.png

can anyone please explain the above query and the results and why we are multiplying with  c_time * 86400
and how do i get the current may month time.

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Keerthi,

the first row extracts the day number from the latest field (I suppose a date in epochtime, otherwise it doesn't run).

The second one calculates the number of seconds in the number of days (86400 is the numer of seconds in 24 hours), I don't know why.

the third row try to calculate the difference between the latest field and the number of seconds, but in my opinion it's a non sense because you should compare two dates, not a date and a calculated number.

the last row filter results taking only events with timestamp after ctime2

But if you have to take only events in a period of x days you can have the same result in an easier way:

| eval diff=now()-_time
| where diff>=n*86400

where n is the number of days that you want consider in your time period, and not the day number in the latest da field.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...