Solved: Re: Include present time while adding time to the ...

MeMilo09 · ‎04-18-2021

Hello Splunk Community,

I would like to add time to an event, but at the same time keep the present time. So, start with present time and also add one day to the event... Below I have the concept, but I still need some guidance on how to include present time results while also adding one day to the event. Any advise out there?

| makeresults
| eval start_time=relative_time(_time,"-1d@d")
| eval end_time=start_time+3600*24 + 1
| eval the_time=mvrange(start_time, end_time, 3600)
| mvexpand the_time
| rename the_time as _time
| table _time

scelikok · ‎04-18-2021

Hi @MeMilo09,

I am not sure about your need about the present time, but please try below? It will add current time to the list;

| makeresults
| eval start_time=relative_time(_time,"-1d@d")
| eval end_time=start_time+3600*24 + 1
| eval the_time=mvrange(start_time, end_time, 3600)
| eval present_time=strftime(now(),"%s")
| eval the_time=mvappend(the_time,present_time)
| mvexpand the_time
| rename the_time as _time
| table _time

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎04-18-2021

Hi @MeMilo09,

I am not sure about your need about the present time, but please try below? It will add current time to the list;

| makeresults
| eval start_time=relative_time(_time,"-1d@d")
| eval end_time=start_time+3600*24 + 1
| eval the_time=mvrange(start_time, end_time, 3600)
| eval present_time=strftime(now(),"%s")
| eval the_time=mvappend(the_time,present_time)
| mvexpand the_time
| rename the_time as _time
| table _time

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Include present time while adding time to the event

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!