Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assign earliest and latest _time to some other timestamp column

splunk_hvijay
Explorer
‎08-10-2016 05:40 AM

I want to take the earliest and latest _time and assign to some other timestamp column. For example, I have a timestamp column Transaction Date which is NOT _time and I want to use this in the search command to achieve the below

Index = test | where Transaction_date => earliest and Transaction_date <= latest

Can you please help me.

Not sure what is epoch time and why to convert that. I have timestamp like "2016-08-05 12:00:00.0"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2016 07:11 AM

Try this

index=test | addinfo | eval Tdate=strptime(Transaction_date,"%Y-%m-%d %H:%M:%S.%1N") | where Tdate >= info_min_time AND Tdate <= info_max_time | ...

Epoch time is the Unix timestamp standard. It's the number of seconds since 1 Jan 1970 (IIRC). Converting dates to epoch (integer) form makes it vastly easier to compare and manipulate them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...