Solved: Re: Change time field to show 'x' minutes ago?

zoebanning · ‎11-29-2021

Hello Splunk Community,

I have a stats table I have created and I want to change the time field ("%Y-%m-%d %H:%M:%S") to present 'x' minutes ago.

Can anyone help with this?

Many Thanks,

Zoe

bowesmana · ‎11-29-2021

The part you need is the now() - _time line below

| makeresults count=10
| eval _time=_time-(random() % (55 * 60))
| sort - _time
| eval mins=round(((now() - _time) / 60))." minutes ago"

this will round down the number of minutes. I'm assuming your time field is from the _time field, which is the epoch time in seconds, so just using the now() function to calculate the difference.

View solution in original post

PickleRick · ‎11-29-2021

Just add/substract needed number of seconds to adjust your timestamp.

For example, to "offset" all results by 10 minutes into the past do:

| eval _time=_time-600

The question is - do you have the timestamp as timestamp (integer) or did you already render it to a string. If it's a string, you have to of course convert it to a timestamp with strptime or - even better - find earlier place in your spl pipeline when the timestamp was still nummerical and get your "source" timestamp from there.

bowesmana · ‎11-29-2021

The part you need is the now() - _time line below

| makeresults count=10
| eval _time=_time-(random() % (55 * 60))
| sort - _time
| eval mins=round(((now() - _time) / 60))." minutes ago"

this will round down the number of minutes. I'm assuming your time field is from the _time field, which is the epoch time in seconds, so just using the now() function to calculate the difference.

zoebanning · ‎11-30-2021

Thank you! Worked out perfectly 🙂

Change time field to show 'x' minutes ago?

eval

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience