Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Time Comparison - Windows

stakor
Path Finder
‎01-12-2018 02:10 PM

I am trying to compare two windows time stamps, and find out if they are more than 10 minutes apart. The time stamps are in the following format:
‎2018‎-‎01‎-‎12T21:13:31.535000000Z
YYYY-MM-DDTHH:MM:SS

It seems like it would make sense to use the function relative_time:
http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonEvalFunctions
| eval n=relative_time(now(), "-1d@d") aka | eval n=relative_time(, )
The resulting value should be the number of seconds the two values are different, if I understand the description correctly.

Then compare the value of "n" to see if it is over 600 (10-minutes x 60-seconds).

I am guessing that the windows formatting of the time values is throwing Splunk off. Though, as this format is coming straight from a windows log, I had thought that they would be able to be read.

Is this a case where the time/date will have to be parsed out, and then compared?

Has anyone worked with this type of time format before?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-12-2018 05:14 PM

@stakor, you can convert the two time fields to epoch time using strptime() evaluation function (if one or both are in String time format). Once you convert them to String time, you can subtract them to get the difference in time in seconds, will will allow you to check whether they are 600 seconds apart or not.

<YourBaseSearch>
| eval start_time=strptime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ"),end_time=strptime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| eval duration=(end_time-start_time)
| search duration>600

Following is a run anywhere example illustrating the same:

| makeresults
| eval start_time="2018-01-12T21:13:31.535000000Z", end_time="2018-01-12T22:20:40.231000000Z"
| fields - _time
| eval start_time=strptime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ"),end_time=strptime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| eval duration=(end_time-start_time)
| search duration>600
| fieldformat start_time=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| fieldformat end_time=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")

PS: strptime() converts String Time to Epoch Time and strftime() converts Epoch time to String time. The fieldformat command is used to display String Time while retaining the underlying Epoch Time. If eval is used in place of fieldformat it will modify the underlying data as well. You can refer to Splunk Documentation for all these commands/functions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-12-2018 05:14 PM

@stakor, you can convert the two time fields to epoch time using strptime() evaluation function (if one or both are in String time format). Once you convert them to String time, you can subtract them to get the difference in time in seconds, will will allow you to check whether they are 600 seconds apart or not.

<YourBaseSearch>
| eval start_time=strptime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ"),end_time=strptime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| eval duration=(end_time-start_time)
| search duration>600

Following is a run anywhere example illustrating the same:

| makeresults
| eval start_time="2018-01-12T21:13:31.535000000Z", end_time="2018-01-12T22:20:40.231000000Z"
| fields - _time
| eval start_time=strptime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ"),end_time=strptime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| eval duration=(end_time-start_time)
| search duration>600
| fieldformat start_time=strftime(start_time,"%Y-%m-%dT%H:%M:%S.%9NZ")
| fieldformat end_time=strftime(end_time,"%Y-%m-%dT%H:%M:%S.%9NZ")

PS: strptime() converts String Time to Epoch Time and strftime() converts Epoch time to String time. The fieldformat command is used to display String Time while retaining the underlying Epoch Time. If eval is used in place of fieldformat it will modify the underlying data as well. You can refer to Splunk Documentation for all these commands/functions.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

stakor
Path Finder
‎01-16-2018 12:07 PM

Thank you for your answer. It is very informative, and when I post it my clean up date into your stand alone formula, it works. (Great way to provide a formula to show the work, I didn't think that was possible.)

I seem to also be having some sort of odd dirty data problem on one system. I am going to try the other one, and see if it is across both of them. But one system has an odd character around the numbers when I copy paste it, or export it into CSV output. I am trying to figure out what the character is, and why it is there.

But, when I remove it, it works like a charm. I want to try to test it a little on the other system, and then I will mark this answer as accepted for this question. Then I will probably post something relating to the dirty data, if I can not clean it up myself.

Again,
Really good answer.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎01-23-2018 08:34 AM

🙂 I am glad you found it working. Do post the question about data issue for the community to assist, unless that is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...