Splunk Search

How can I snap to the last second of the month?

brdr
Contributor

I'm looking through time specifiers in Splunk doc. I don't see how I can snap towards the end of month. If I do this:

| makeresults
| eval nnow=now()
| eval lyear=relative_time(nnow, "-1y")
| table nnow lyear

I will get epoch of 1 year ago. What I would like is to snap to the last second of the month (in this case May 2017) 1 year ago. Is this doable?

Thanks

Tags (2)
0 Karma
1 Solution

niketn
Legend

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

brdr
Contributor

Awesome. thank you!

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...