Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract the second from _time?

ddrillic
Ultra Champion
‎07-31-2017 07:58 AM

How do I find whether the time stamp of an event covers a specific second within a day? So, we need to identify all the events for, let’s say, the second at the interval of 11:12:50 - 11:12:51.

Something like | eval mytime=strftime(_time, "%d") but for the second...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-31-2017 08:21 AM

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-31-2017 08:21 AM

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-31-2017 08:24 AM

I see - the thing is that we have a long list of seconds we want to look at....

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-31-2017 08:50 AM

Perfect @adonio !!!

The following seems to work -

(earliest = 7/20/2017:20:00:00 latest = 7/20/2017:20:00:01) OR
(earliest = 7/20/2017:21:00:00 latest = 7/20/2017:21:00:01) ....
0 Karma
Reply
Solved! Jump to solution

mwirth_splunk
Splunk Employee
Splunk Employee
‎07-31-2017 08:07 AM

Use the default field date_second.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/Usedefaultfields#date_second

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎07-31-2017 08:57 AM

Thank you for all you help!

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...