Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare time of the output of the query

Anshumaan12
New Member
‎07-29-2016 03:06 AM

Hi All

I am trying to compare the result of the query.

In am getting this result from my query
Hostname date time
1. 17/07/2016 12:32:00
2. 22/07/2016 10:32:00
3. 12/07/2016 18:32:00
4. 18/07/2016 11:32:00
5. 02/07/2016 02:32:00

I want data based on time
Like datatime greater than last 2 hours
Date time greater than 10 hours
Earliest and latest are not working for me correctly so I want to compare time.

Tags (1)
0 Karma
Reply

sundareshr
Legend
‎07-29-2016 05:09 AM

Try this

... | eval dtm=strptime(datetime, "%d/%m/%Y %H:%M:%S")  | eval range=case(dtm>=relative_time(now(), "-2h"), "last 2hrs", dtm>=relative_time(now(), "-10h") AND dtm<relative_time(now(), "-2h"), "last 10hrs", 1=1, "Error time format") | chart count over host by range
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-29-2016 05:06 AM

Could you provide the search you are running and a couple of the underlying raw events?

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-29-2016 04:57 AM

Is this being read from a CSV file? There are many options at ingest time to set the timestamp qualities so this data becomes time-sequenced properly. Have you investigated those? The GUI for adding new data has a whole section on making sure your timestamps are right...

0 Karma
Reply

Anshumaan12
New Member
‎07-29-2016 05:00 AM

No . I am just running a query and getting that output as a dashboard.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...