Solved: How can I snap to the last second of the month?

brdr · ‎05-21-2018

I'm looking through time specifiers in Splunk doc. I don't see how I can snap towards the end of month. If I do this:

| makeresults
| eval nnow=now()
| eval lyear=relative_time(nnow, "-1y")
| table nnow lyear

I will get epoch of 1 year ago. What I would like is to snap to the last second of the month (in this case May 2017) 1 year ago. Is this doable?

Thanks

niketn · ‎05-21-2018

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-21-2018

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

brdr · ‎05-22-2018

Awesome. thank you!

How can I snap to the last second of the month?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!