Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assign earliest and latest _time to some other timestamp column

splunk_hvijay
Explorer
‎08-10-2016 05:40 AM

I want to take the earliest and latest _time and assign to some other timestamp column. For example, I have a timestamp column Transaction Date which is NOT _time and I want to use this in the search command to achieve the below

Index = test | where Transaction_date => earliest and Transaction_date <= latest

Can you please help me.

Not sure what is epoch time and why to convert that. I have timestamp like "2016-08-05 12:00:00.0"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2016 07:11 AM

Try this

index=test | addinfo | eval Tdate=strptime(Transaction_date,"%Y-%m-%d %H:%M:%S.%1N") | where Tdate >= info_min_time AND Tdate <= info_max_time | ...

Epoch time is the Unix timestamp standard. It's the number of seconds since 1 Jan 1970 (IIRC). Converting dates to epoch (integer) form makes it vastly easier to compare and manipulate them.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...