Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to generate time interval into multi value field

jiaminyun
Path Finder
‎01-21-2025 12:03 AM

My requirement is that my start time is January 1, 2024 and end time is January 7, 2024. In addition to placing the start and end times in multi value fields, please also include each date in this time interval, such as January 2, 2024, January 3, 2024, January 4, 2024, January 5, 2024, January 6, 2024. The final field content should be January 1, 2024, January 2, 2024, January 3, 2024, January 4, 2024, January 5, 2024, January 6, 2024, and July.
The SPL statement is as follows:

| makeresults
| eval start_date = "2024-01-01", end_date = "2024-01-07"
| eval start_timestamp = strptime(start_date, "%Y-%m-%d")
| eval end_timestamp = strptime(end_date, "%Y-%m-%d")
| eval num_days = round((end_timestamp - start_timestamp) / 86400)
| eval range = mvrange(1, num_days)
| eval intermediate_dates = strftime(relative_time(start_timestamp, "+".tostring(range)."days"), "%Y-%m-%d")
| eval all_dates = mvappend(start_date, intermediate_dates)
| eval all_dates = mvappend(all_dates, end_date)
| fields all_dates
Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-21-2025 12:30 AM 
| makeresults
| eval start_date = "2024-01-01", end_date = "2024-01-07"
| eval start_timestamp = strptime(start_date, "%Y-%m-%d")
| eval end_timestamp = strptime(end_date, "%Y-%m-%d")
| eval num_days = round((end_timestamp - start_timestamp) / 86400)
| eval all_dates = start_date
| eval range = mvrange(1, num_days + 1)
| foreach mode=multivalue range
    [| eval all_dates=mvappend(all_dates,strftime(relative_time(start_timestamp,"+".<<ITEM>>."d"),"%Y-%m-%d"))]
| fields all_dates
Reply

jiaminyun
Path Finder
‎01-21-2025 06:45 PM

Thank you for your response, it has solved my problem!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...