Solved: How do I extract the second from _time?

ddrillic · ‎07-31-2017

How do I find whether the time stamp of an event covers a specific second within a day? So, we need to identify all the events for, let’s say, the second at the interval of 11:12:50 - 11:12:51.

Something like | eval mytime=strftime(_time, "%d") but for the second...

adonio · ‎07-31-2017

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

View solution in original post

adonio · ‎07-31-2017

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

ddrillic · ‎07-31-2017

I see - the thing is that we have a long list of seconds we want to look at....

ddrillic · ‎07-31-2017

Perfect @adonio !!!

The following seems to work -

(earliest = 7/20/2017:20:00:00 latest = 7/20/2017:20:00:01) OR
(earliest = 7/20/2017:21:00:00 latest = 7/20/2017:21:00:01) ....

mwirth_splunk · ‎07-31-2017

Use the default field date_second.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/Usedefaultfields#date_second

ddrillic · ‎07-31-2017

Thank you for all you help!

How do I extract the second from _time?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor