- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that using now() inside of the map command will always return the time that the map was started rather than the time for each loop. The below SPL shows an example of this. Does anyone have any thoughts on how to get the time for each iteration of the loop?
| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=now()"
| table outer_time_formatted outer_time _time now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The now function always returns the time the search started. There is no provision for doing otherwise.
To get the time for each event ("loop"), use the time function.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The now function always returns the time the search started. There is no provision for doing otherwise.
To get the time for each event ("loop"), use the time function.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The example I gave is a simplified one to show the behavior. My real SPL has the | rest command inside the map. The | rest command does not return _time. I am trying to figure out the time the rest command started for each iteration of the loop. My hunch is this isn't possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am confused. As @richgalloway pointed out, time() is the correct function to use (in lieu of now()) inside a loop if you want to reveal the time of each iteration. Does this not work? It certainly works for me. (9.0.4)
| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=time()"
| table outer_time_formatted outer_time _time now
outer_time_formatted | outer_time | _time | now |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.312381 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.404865 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.476129 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.546069 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.616955 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.690642 |
2023-06-21 08:44:16 | 1687362256 | 2023-06-21 08:44:16 | 1687362256.772683 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, goodness! I was not aware of the time() function. That's what I was looking for. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My answer referred to the time function, not the _time field. You should be able to use time() to get the time of each rest call.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you need now()? Doesn't _time hold now?
| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval inner_time=_time"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was using makeresults as a simplified example to show the behavior. My real SPL is using the rest command inside the map. There is no _time with results returned from | rest. I'm trying to get the time the rest command was started for each iteration of the loop. My hunch is this is not possible.