Splunk Search

Any examples of using now() inside map command?

fredclown
Builder

It appears that using now() inside of the map command will always return the time that the map was started rather than the time for each loop. The below SPL shows an example of this. Does anyone have any thoughts on how to get the time for each iteration of the loop?

 

 

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=now()"
| table outer_time_formatted outer_time _time now

 

 

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The now function always returns the time the search started.  There is no provision for doing otherwise.

To get the time for each event ("loop"), use the time function.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The now function always returns the time the search started.  There is no provision for doing otherwise.

To get the time for each event ("loop"), use the time function.

---
If this reply helps you, Karma would be appreciated.

fredclown
Builder

The example I gave is a simplified one to show the behavior. My real SPL has the | rest command inside the map. The | rest command does not return _time. I am trying to figure out the time the rest command started for each iteration of the loop. My hunch is this isn't possible.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

I am confused.  As @richgalloway pointed out, time() is the correct function to use (in lieu of now()) inside a loop if you want to reveal the time of each iteration.  Does this not work?  It certainly works for me. (9.0.4)

 

 

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=time()"
| table outer_time_formatted outer_time _time now

 

 

 
 
outer_time_formattedouter_time_timenow
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.312381
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.404865
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.476129
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.546069
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.616955
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.690642
2023-06-21 08:44:1616873622562023-06-21 08:44:161687362256.772683
Tags (1)
0 Karma

fredclown
Builder

Oh, goodness! I was not aware of the time() function. That's what I was looking for. Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

My answer referred to the time function, not the _time field.  You should be able to use time() to get the time of each rest call.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you need now()? Doesn't _time hold now?

| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval inner_time=_time"
0 Karma

fredclown
Builder

I was using makeresults as a simplified example to show the behavior. My real SPL is using the rest command inside the map. There is no _time with results returned from | rest. I'm trying to get the time the rest command was started for each iteration of the loop. My hunch is this is not possible.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...