Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add time in search string
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add time in search string
vik123ash
Explorer
02-26-2018
07:14 PM
Hi All,
i want to add time in search string.
My data is showing time 26-02-2018T02:00:00.000+0000, but while searching i want to add 11 hour , means it should create filter for time 27-02-2018T13:00:00.000+0000.
Also after this i also want to apply substring on time to just show dates.
i am using below one, but its not working.
index=XXXXXX source="XXXXXX" |eval host=add(Date,+11) | eval hostgroup=substr(Date,1,10) | stats count(Date) by hostgroup
Please help.
Vikash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
02-26-2018
10:17 PM
Try this:
index=XXXXXX source="XXXXXX" |eval date=strptime(CDate, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval hostgroup =strftime(date1, "%d-%m-%Y") | stats count(CDate) by hostgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
02-26-2018
08:04 PM
Hi,
This may be helpful for you:
index=XXXXXX source="XXXXXX" |eval date=strftime(Date, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval hostgroup =strptime(date1, "%d-%m-%Y") | stats count(date) by hostgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vik123ash
Explorer
02-26-2018
08:32 PM
@p_gaurav
Thanks for your quick reply.
Query is not provding any output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
02-26-2018
08:35 PM
Hi,
can you tell me output of this:
index=XXXXXX source="XXXXXX" |eval date=strftime(_time, "%d-%m-%Y %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vik123ash
Explorer
02-26-2018
08:49 PM
I have too many date fields, out of which i want to create filter for one of the date field. i am not sure if _time will help here.
Below is the date field on which i need to execute the query.
CDate: 2018-02-27T03:55:28.000+0000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vik123ash
Explorer
02-26-2018
09:44 PM
Hi @p_gaurav
We are getting output 0 though we have non-zero value.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
