Solved: Any examples of using now() inside map command?

fredclown · ‎06-20-2023

It appears that using now() inside of the map command will always return the time that the map was started rather than the time for each loop. The below SPL shows an example of this. Does anyone have any thoughts on how to get the time for each iteration of the loop?

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=now()"
| table outer_time_formatted outer_time _time now

richgalloway · ‎06-20-2023

The now function always returns the time the search started. There is no provision for doing otherwise.

To get the time for each event ("loop"), use the time function.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-20-2023

The now function always returns the time the search started. There is no provision for doing otherwise.

To get the time for each event ("loop"), use the time function.

---
If this reply helps you, Karma would be appreciated.

fredclown · ‎06-21-2023

The example I gave is a simplified one to show the behavior. My real SPL has the | rest command inside the map. The | rest command does not return _time. I am trying to figure out the time the rest command started for each iteration of the loop. My hunch is this isn't possible.

yuanliu · ‎06-21-2023

I am confused. As @richgalloway pointed out, time() is the correct function to use (in lieu of now()) inside a loop if you want to reveal the time of each iteration. Does this not work? It certainly works for me. (9.0.4)

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=time()"
| table outer_time_formatted outer_time _time now

outer_time_formatted	outer_time	_time	now
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.312381
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.404865
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.476129
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.546069
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.616955
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.690642
2023-06-21 08:44:16	1687362256	2023-06-21 08:44:16	1687362256.772683

fredclown · ‎06-21-2023

Oh, goodness! I was not aware of the time() function. That's what I was looking for. Thanks.

richgalloway · ‎06-21-2023

My answer referred to the time function, not the _time field. You should be able to use time() to get the time of each rest call.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎06-20-2023

Do you need now()? Doesn't _time hold now?

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval inner_time=_time"

fredclown · ‎06-21-2023

I was using makeresults as a simplified example to show the behavior. My real SPL is using the rest command inside the map. There is no _time with results returned from | rest. I'm trying to get the time the rest command was started for each iteration of the loop. My hunch is this is not possible.

Any examples of using now() inside map command?

eval

other

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?