Filter records using time modifiers

dsiob · ‎07-27-2017

Can someone tell me why this is not working:-

I need to filter records having 'Start_Time' within the mentioned range:

Working:-

index=imt_mobile source="*LTS_Validation_1" |eval early=relative_time(now(),"-3w@w")|eval late=relative_time(now(),"-2w@w")| where Start_Time<late|table   "Track" "CO" early  Start_Time late|

Here Start_Time was before 'late' so coming fine.

Not Working:-

index=imt_mobile source="*LTS_Validation_1" |eval early=relative_time(now(),"-3w@w")|eval late=relative_time(now(),"-2w@w")| where Start_Time<"-2w@w"|table   "Track" "CO" early  Start_Time late|

Here it is not working!!

gcusello · ‎07-27-2017

Hi dsiob,
sorry but I don't understand your problem:
in a where condition you have to compare two similar fields: if you use " -2w@w " Splunk don't understand that you're speaking about a time in epochtime format, so you need to transform "-2w@w" in epochtime format to compare with StartTime.
To do this you have to use (as in your first example) |eval late=relative_time(now(),"-2w@w")| where Start_Time<late
So, what is the problem to use eval?
If instead you need to show in Human readable format the three dates use strftime command:

| eval early=strftime(early,"%d/m/%Y %H.%M.%S"), late=strftime(late,"%d/m/%Y %H.%M.%S"), StartTime=strftime(StartTime,"%d/m/%Y %H.%M.%S")

Bye.
Giuseppe

dsiob · ‎07-27-2017

so in place of "-2w@w" I need to use $mytime.Latest$, If I go with eval late=strftime(late,"%d/m/%Y %H.%M.%S") then It does not work If value of $mytime.Latest$ is "now". It is not able to convert "now" to epochtime

gcusello · ‎07-27-2017

Now() is already in epochtime.
you can see with

index=_internal | head 1 | eval late=now() | table late

beware that in your eval command you losed one %.

Bye.
Giuseppe

Filter records using time modifiers

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!