Try something like this:
Your search | eval currentmonth=relative_time(now(), "@mon") | eval previousmonth=relative_time(now(),"-1mon@mon") |
In your case you can use whatever field generates 2018-02-22 21:54:00.380000 and have eval convert it to a month and then use more evals to do the math.
Or you can try converting the date field into Epoch Time, which I found much easier to work with.
For example, I wanted to see only tickets from the previous month in my ticketing system (however my resolved_at field was hard to work with so I converted it to epoch time):
| eval Rtime=strptime(resolved_at, "%Y-%m-%d %H:%M:%S") | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") | where Rtime <= end AND Rtime >= start AND _time <= end AND _time >= start |
I still don't understand. In the first example, how would I only perform an operation if the month in the datestamp is march?
I get that I have to convert the datestamp to make it easier to work with, but how do I check if that new epoch time is the first, second, third etc month of the year, then perform an operation?
Hey, so the below eval will run against the current time, then extract the current month and label it as currentmonth:
| eval currentmonth=relative_time(now(), "@mon")
For example "currentmonth" returns this value today: 1522562400.000000
Put that into a website like this : https://www.epochconverter.com/
Then you have a epoch time that Splunk created for the begining of the month: GMT: Sunday, April 1, 2018 6:00:00 AM
Then the @mon part of the search, extracts specifically the month from the currently time.
You could easily tweak this to do the same to which ever field is generating your date and time.
| eval new_date=strftime(strptime(<yourfield>, "%Y-%m-%d %H:%M:%S"),"%m") ## This will convert your field into epoch time. Then you could use something like below to tell your search which month you are looking for. | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") | where new_date <= end AND new_date >= start AND _time <= end AND _time >= start |
Are you looking for writing a case expression to set value based on month of the timestamp (assuming _time is the field)? If yes, you can do like this
your base search |eval month=strftime(new_date_epoch,"%b") | eval ColOfYourCreation=case(month="jan","Specific to Jan value", month="feb","Specific to Feb value",....., true(),"Some Default value")
|eval month=strftime(new_date_epoch,"%b") portion is where you'd specify our date+timestamp field. If you date+timestamp is a single field with value already in epoch format, just specify the field name there. If it's in string format, then you'd need to convert it to epoch within that expression, like
|eval month=strftime(strptime(YourTimestampFieldHere,"TimestampFormatWillComeHere"),"%b"). The eval-case expression is where you match month and assign specific value.
Try this, I took
_time and convert to epoch time from there I can able to eval my month
Yoursearch| eval new_date_epoch=_time|eval month=strftime(new_date_epoch,"%b")|table _time,new_date_epoch,month,_raw