Assuming that timestamp is already recognized by Splunk as the event's timestamp, I see two ways your question could go:
... | eval delta = _indextime - _time
... | eval delta = now() - _time
I have a field called CREATIONTIME.
How will I convert this into seconds?
Ah, that's different. You'll need
... | eval delta = now() - strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S")
Great that worked 🙂
But now I am getting the seconds in the below format,
How should I remove the 0's after the decimal point?
Here is my complete query,
index="ocsmonitor" sourcetype="idle_alert"| eval a =strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S")| stats latest(a) as latests |eval tnow=now()| eval b = (tnow-latests)/60000| table b
The output for b is 0.00020000000.
I want to remove the extra 0's.
You can use eval's
round(). Why are you dividing by 60000?
I want to convert the seconds back to minutes at the end.
Sorry I am new to splunk so just trying to figure out things.
Seconds to minutes would be "divide by 60"... anywhere, not just in Splunk 😄
lol, my bad.
Actually, these are existing dashboards which are no more functioning and I am trying to make them working.
Not sure why the creator did divide by 60000 initially...
If the the answer and comments by @martin_mueller solved your question, please don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote the answer and/or any of his comments you found especially helpful!