Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Grouping events by time range relative to the current time, using calculations with eval statements

jdbtee
Path Finder
‎08-07-2014 03:11 AM

Hi,

I want to groups event times in ranges relative to the current time. Currently this method does not work. The field I'm using is not the event time but a property of a log, so the event looks something like this:

logtime (taken as upload date), STR_TIME(1st detection date "2013-11-3"), prop1, prop2

my chart is: chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Code:

eval STR_TIME=strptime(detected_date, "%Y-%m-%d")
| eval AGE=case(STR_TIME <= time(-864000s), "10 Days",
STR_TIME > time(-864000s) AND STR_TIME < time(-2592000s), "10 to 30",
STR_TIME >= time(-2592000s) AND STR_TIME < time(-7776000s), "30 to 90",
STR_TIME >= time(-7776000s) AND STR_TIME < time(-15552000s), "90 to 180",
STR_TIME >= time(-15552000s), "180 Days Plus", "180 Days Plus" ) | chart count(prop1) over AGE by prop2 usenull=f | sort + prop2

Error:
Error in 'eval' command: The expression is malformed. Expected ).

I have also tried nested IF statements. I can't find any discussion of using maths within a "case" of "if" eval.

Also tried:
= (time()- seconds)

Are calculations like this possible?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

strive
Influencer
‎08-07-2014 03:31 AM

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

View solution in original post

Reply
Solved! Jump to solution
Solution

strive
Influencer
‎08-07-2014 03:31 AM

Try this

Some search terms...| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...

To check with current time

Some search terms...| eval STR_TIME=strptime(Vulnerability_Published_Date, "%Y-%m-%d") | eval STR_TIME = (now()-STR_TIME)| eval AGE= case(STR_TIME <= 864000, "10 Days", STR_TIME > 864000 AND STR_TIME < 2592000, "10 to 30", STR_TIME >= 2592000 AND STR_TIME < 7776000, "30 to 90", STR_TIME >= 7776000 AND STR_TIME < 15552000, "90 to 180", STR_TIME >= 15552000, "180 Days Plus")  | Next search terms...
Reply
Solved! Jump to solution

jdbtee
Path Finder
‎08-07-2014 04:40 AM

So adding "| eval STR_TIME = (now()-STR_TIME)|" has allowed the relative calculation of events, where I had previously tried this within a single eval with the cases.

Reply
Solved! Jump to solution

jdbtee
Path Finder
‎08-07-2014 04:32 AM

Hi Strive,

Your final edit has worked! Cheers

0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎08-07-2014 04:17 AM

Check my edited answer

0 Karma
Reply
Solved! Jump to solution

jdbtee
Path Finder
‎08-07-2014 04:11 AM

Hi Strive,

This has produced some output as a start (I have tried for quite a few hours :)), but all events are in "180 Days Plus" and no further cases seem to be met.

The other concern with this is that I want it relative to today, I'm not sure having literals will work.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...