Splunk Search

Creating Multiple custom time ranges for reporting.

New Member

I'm trying to figure out a way to create custom time ranges for reporting. I work at a university and need to run some searches based on semesters. I have the start and end dates for the semesters but I can't figure out how to create the custom time ranges. This is the logic I have so far:

eval Semester = 
if ((EventTime>01/01/2011) AND (EventTime<05/30/2011),"1. Spring 2011",
if ((EventTime>08/29/2010) AND (EventTime<12/19/2010),"2. Fall 2010",0))

I'm thinking that something to this effect would work. My problem is that I don't know how to manipulate the timestamps to get this to work. I read about epochtime but I don't know what I need to do to convert my timestamps to epochtime. Any help to point me in the right direction would be greatly appreciated. This is what my logs look like:

L101E-26    MSWinEventLog   1   Application 1   Tue Mar 08 12:43:00 2011    4   WSH N/A N/A Information L101E-26    None        ACL-Logon     LUID=125965     Action=Logon     Platform=Windows_7     Username=ofischer     IP=129.113.151.46     MAC=00:21:9B:63:02:24     ComputerName=L101E-26     Lab=Library_Writing_Center     EventTime=3/8/2011 12:42:59    0 
Tags (3)
0 Karma

SplunkTrust
SplunkTrust

There's a couple different ways to achieve what I think is your end result.

1) You can add whole new timeranges to the time dropdown, ie add new entries alongside 'last 24 hours' etc.. To do this you add stanzas to times.conf. Add the following stanzas to a times.conf file either in etc/apps/<appname>/default/ or etc/system/local/. (which you add it to depends on whether you've already started making a particular "app", or whether you're just putting everything in the search app. It's probably the former but you never know.)

[spring_2011]
label = Spring 2011
header_label = during Spring 2011
earliest_time = 1293868800
latest_time = 1306738800
order = 11

[Fall_2010]
label = Fall 2010
header_label = during Fall 2010
earliest_time = 1283065200
latest_time = 1292745600
order = 12

And there are some decent converters on the web, if you want to generate other epochtime values (those values above should match the ones in your question) http://www.epochconverter.com/

2) You could potentially do the same thing by using epochtime literals in the search language but I do not recommend it as the performance of the searches will be very bad. If you think about it, Splunk in this situation has to get essentially every event out of the index and then compare the timestamps in memory. So it might take a long time before it even gets back to the first matching event and things start appearing on screen...

3) If you're trying to generate specific charts where you compare the activity in these two periods, then it's a search language approach you want, and it's quite different. You wouldnt use times.conf for that kind of thing. If you want to know more let me know. But also there are a number of questions on this site about that sort of thing )

0 Karma

New Member

What I want is more like what you mentioned in the 3rd option I think. Ultimately my report should show whatever my search is by Semester date_year. So i'll have an overlapping area chart of per semester stats by each calendar year. If you could help me to understand what I need to do to get that info, or point me to some existing relevant topic i'd much appreciate it. I've searched but perhaps my wording is incorrect to bring up the results i'm looking for.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!