Solved: Re: Change time field to show 'x' minutes ago?

zoebanning · ‎11-29-2021

Hello Splunk Community,

I have a stats table I have created and I want to change the time field ("%Y-%m-%d %H:%M:%S") to present 'x' minutes ago.

Can anyone help with this?

Many Thanks,

Zoe

bowesmana · ‎11-29-2021

The part you need is the now() - _time line below

| makeresults count=10
| eval _time=_time-(random() % (55 * 60))
| sort - _time
| eval mins=round(((now() - _time) / 60))." minutes ago"

this will round down the number of minutes. I'm assuming your time field is from the _time field, which is the epoch time in seconds, so just using the now() function to calculate the difference.

View solution in original post

PickleRick · ‎11-29-2021

Just add/substract needed number of seconds to adjust your timestamp.

For example, to "offset" all results by 10 minutes into the past do:

| eval _time=_time-600

The question is - do you have the timestamp as timestamp (integer) or did you already render it to a string. If it's a string, you have to of course convert it to a timestamp with strptime or - even better - find earlier place in your spl pipeline when the timestamp was still nummerical and get your "source" timestamp from there.

bowesmana · ‎11-29-2021

The part you need is the now() - _time line below

| makeresults count=10
| eval _time=_time-(random() % (55 * 60))
| sort - _time
| eval mins=round(((now() - _time) / 60))." minutes ago"

this will round down the number of minutes. I'm assuming your time field is from the _time field, which is the epoch time in seconds, so just using the now() function to calculate the difference.

zoebanning · ‎11-30-2021

Thank you! Worked out perfectly 🙂

Change time field to show 'x' minutes ago?

eval

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!