Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I snap to the last second of the month?

brdr
Contributor
‎05-21-2018 01:44 PM

I'm looking through time specifiers in Splunk doc. I don't see how I can snap towards the end of month. If I do this:

| makeresults
| eval nnow=now()
| eval lyear=relative_time(nnow, "-1y")
| table nnow lyear

I will get epoch of 1 year ago. What I would like is to snap to the last second of the month (in this case May 2017) 1 year ago. Is this doable?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-21-2018 02:00 PM

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-21-2018 02:00 PM

@brdr, try the following run anywhere search

| makeresults 
| eval lyearEndOfCurrentMonth=relative_time(now(), "-1y@mon+1mon-1s") 
| table lyearEndOfCurrentMonth 
| fieldformat lyearEndOfCurrentMonth=strftime(lyearEndOfCurrentMonth,"%Y/%m/%d %H:%M:%S")

Which will snap to 2017/05/31 23:59:59

PS: The fieldformat command shows epoch time in human readable string format while retaining the underlying value as epoch time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

brdr
Contributor
‎05-22-2018 05:25 AM

Awesome. thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...