Splunk Search

How do I extract the second from _time?

ddrillic
Ultra Champion

How do I find whether the time stamp of an event covers a specific second within a day? So, we need to identify all the events for, let’s say, the second at the interval of 11:12:50 - 11:12:51.

Something like | eval mytime=strftime(_time, "%d") but for the second...

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

View solution in original post

0 Karma

adonio
Ultra Champion

hello there,
hope i understood your question,
maybe use earliest and latest?
http://docs.splunk.com/Documentation/Splunk/6.6.2/Search/Specifytimemodifiersinyoursearch
for example:
index = * sourcetype = * earliest = 7/31/2017:11:19:51 latest = 7/31/2017:11:19:52
you can also use the gui time picker for that

0 Karma

ddrillic
Ultra Champion

I see - the thing is that we have a long list of seconds we want to look at....

0 Karma

ddrillic
Ultra Champion

Perfect @adonio !!!

The following seems to work -

(earliest = 7/20/2017:20:00:00 latest = 7/20/2017:20:00:01) OR
(earliest = 7/20/2017:21:00:00 latest = 7/20/2017:21:00:01) ....
0 Karma

mwirth_splunk
Splunk Employee
Splunk Employee
0 Karma

ddrillic
Ultra Champion

Thank you for all you help!

0 Karma
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...