I'm trying to figure out a way to create custom time ranges for reporting. I work at a university and need to run some searches based on semesters. I have the start and end dates for the semesters but I can't figure out how to create the custom time ranges. This is the logic I have so far:
eval Semester = if ((EventTime>01/01/2011) AND (EventTime<05/30/2011),"1. Spring 2011", if ((EventTime>08/29/2010) AND (EventTime<12/19/2010),"2. Fall 2010",0))
I'm thinking that something to this effect would work. My problem is that I don't know how to manipulate the timestamps to get this to work. I read about epochtime but I don't know what I need to do to convert my timestamps to epochtime. Any help to point me in the right direction would be greatly appreciated. This is what my logs look like:
L101E-26 MSWinEventLog 1 Application 1 Tue Mar 08 12:43:00 2011 4 WSH N/A N/A Information L101E-26 None ACL-Logon LUID=125965 Action=Logon Platform=Windows_7 Username=ofischer IP=22.214.171.124 MAC=00:21:9B:63:02:24 ComputerName=L101E-26 Lab=Library_Writing_Center EventTime=3/8/2011 12:42:59 0
There's a couple different ways to achieve what I think is your end result.
1) You can add whole new timeranges to the time dropdown, ie add new entries alongside 'last 24 hours' etc.. To do this you add stanzas to
times.conf. Add the following stanzas to a times.conf file either in
etc/system/local/. (which you add it to depends on whether you've already started making a particular "app", or whether you're just putting everything in the search app. It's probably the former but you never know.)
[spring_2011] label = Spring 2011 header_label = during Spring 2011 earliest_time = 1293868800 latest_time = 1306738800 order = 11 [Fall_2010] label = Fall 2010 header_label = during Fall 2010 earliest_time = 1283065200 latest_time = 1292745600 order = 12
And there are some decent converters on the web, if you want to generate other epochtime values (those values above should match the ones in your question) http://www.epochconverter.com/
2) You could potentially do the same thing by using epochtime literals in the search language but I do not recommend it as the performance of the searches will be very bad. If you think about it, Splunk in this situation has to get essentially every event out of the index and then compare the timestamps in memory. So it might take a long time before it even gets back to the first matching event and things start appearing on screen...
3) If you're trying to generate specific charts where you compare the activity in these two periods, then it's a search language approach you want, and it's quite different. You wouldnt use times.conf for that kind of thing. If you want to know more let me know. But also there are a number of questions on this site about that sort of thing )
What I want is more like what you mentioned in the 3rd option I think. Ultimately my report should show whatever my search is by Semester date_year. So i'll have an overlapping area chart of per semester stats by each calendar year. If you could help me to understand what I need to do to get that info, or point me to some existing relevant topic i'd much appreciate it. I've searched but perhaps my wording is incorrect to bring up the results i'm looking for.