Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I manage relative time values passed from a time input and convert to epoch time?

andrewtrobec
Motivator
‎02-28-2018 08:08 AM

Hello,

I would like to convert all possible values set in a time input to epoch time format. This means that it should manage values like:

-d@d @w now

i have found similar threads like this which recommend the relative_time() function, but it doesn't manage all cases. I also found a thread about filtering all values in a time input within a search:

| where if("$time_input.earliest$"!="0" AND "$time_input.earliest$"!="",_time>=if(replace("$time_input.earliest$","\d","")!="",relative_time(now(),if("$time_input.earliest$"="now","-0m","$time_input.earliest$")),"$time_input.earliest$"),0=0) AND if("$time_input.latest$"!="0" AND "$time_input.latest$"!="",_time<if(replace("$time_input.latest$","\d","")!="",relative_time(now(),if("$time_input.latest$"="now","-0m","$time_input.latest$")),"$time_input.latest$"),0=0)

but I cannot figure out how to convert this for use in an eval

Could somebody help me out?

Thank you and best regards,

Andrew

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-28-2018 09:55 AM

Is the timepicker being used to set the parameters of the search? If so, you can do this:

| addinfo
| eval early_time=info_min_time, late_time=info_max_time

And if you don't like having the extra info* fields, you can follow that with:

| fields - info_max_time info_min_time info_search_time info_sid

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎02-28-2018 09:55 AM

Is the timepicker being used to set the parameters of the search? If so, you can do this:

| addinfo
| eval early_time=info_min_time, late_time=info_max_time

And if you don't like having the extra info* fields, you can follow that with:

| fields - info_max_time info_min_time info_search_time info_sid
Reply
Solved! Jump to solution

andrewtrobec
Motivator
‎02-28-2018 11:34 AM

@elliotproebstel this is perfect! No conversions required!

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎02-28-2018 11:35 AM

Great! I converted it to an answer so you can accept it to help others find it in the future. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...