Splunk Search

Grouping events by time range relative to the current time, using calculations with eval statements

jdbtee
Path Finder

Hi,

I want to groups event times in ranges relative to the current time. Currently this method does not work. The field I'm using is not the event time but a property of a log, so the event looks something like this:

logtime (taken as upload date), STR_TIME(1st detection date "2013-11-3"), prop1, prop2

my chart is: chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Code:

eval STR_TIME=strptime(detected_date, "%Y-%m-%d")
| eval AGE=case(STR_TIME <= time(-864000s), "10 Days",
STR_TIME > time(-864000s) AND STR_TIME < time(-2592000s), "10 to 30",
STR_TIME >= time(-2592000s) AND STR_TIME < time(-7776000s), "30 to 90",
STR_TIME >= time(-7776000s) AND STR_TIME < time(-15552000s), "90 to 180",
STR_TIME >= time(-15552000s), "180 Days Plus", "180 Days Plus" ) | chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Error:
Error in 'eval' command: The expression is malformed. Expected ).

I have also tried nested IF statements. I can't find any discussion of using maths within a "case" of "if" eval.

Also tried:
= (time()- seconds)

Are calculations like this possible?

Tags (3)
1 Solution

strive
Influencer

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

View solution in original post

strive
Influencer

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

jdbtee
Path Finder

So adding "| eval STR_TIME = (now()-STR_TIME)|" has allowed the relative calculation of events, where I had previously tried this within a single eval with the cases.

jdbtee
Path Finder

Hi Strive,

Your final edit has worked! Cheers

0 Karma

strive
Influencer

Check my edited answer

0 Karma

jdbtee
Path Finder

Hi Strive,

This has produced some output as a start (I have tried for quite a few hours :)), but all events are in "180 Days Plus" and no further cases seem to be met.

The other concern with this is that I want it relative to today, I'm not sure having literals will work.

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...