Solved: How can I snap to the last second of the month?

brdr · ‎05-21-2018

I'm looking through time specifiers in Splunk doc. I don't see how I can snap towards the end of month. If I do this:

| makeresults
| eval nnow=now()
| eval lyear=relative_time(nnow, "-1y")
| table nnow lyear

I will get epoch of 1 year ago. What I would like is to snap to the last second of the month (in this case May 2017) 1 year ago. Is this doable?

Thanks

niketn · ‎05-21-2018

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-21-2018

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

brdr · ‎05-22-2018

Awesome. thank you!

How can I snap to the last second of the month?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?