Splunk Search

How to calculate difference between 2 times in minutes

jip31
Motivator

Hi

I need to count time events between now() and now() - 10 minutes

Something like this :

eval delta =now() - 10 minutes 

Couleur you help please ?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Your stats command is not syntactically correct so it will not work anyway. But that's another problem.

The most important thing is that whenever you can, limit your events as early as you can. And time limiting is the most effective way to speed up your search. So it's way more effective to do a search for last 15 minutes and calculate something from that set of data than running a search over "All time" only to limit the results in the last step.

But sometimes of course limiting results by some time-related field is desirable.

In general, when working with timestamps in Splunk, unless you're doing some very unusual magic, you manipulate so called epoch or unix timestamps - numbers containing numbers of seconds since midnight Jan 1st 1970. So it's only natural to think in seconds when doing any timestamp manipulation comparison.

So you usually do it like this - if you want only those results in which a, let's say, start_time field is between 2 and 3 days ago you simply add

| where start_time>now() - 3*86400 AND start_time<now() - 2*86400

Of course you must have the field start_time as the numerical unix timestamp so if needed you have to parse your event's field with strptime()

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

But it's a constant 600 seconds. Where's the catch? 🙂

0 Karma

jip31
Motivator

 

I dont need to convert now() in minutes?

And how to apply it in my search

Like this?

| stats dc(x) where delta < 10

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Your stats command is not syntactically correct so it will not work anyway. But that's another problem.

The most important thing is that whenever you can, limit your events as early as you can. And time limiting is the most effective way to speed up your search. So it's way more effective to do a search for last 15 minutes and calculate something from that set of data than running a search over "All time" only to limit the results in the last step.

But sometimes of course limiting results by some time-related field is desirable.

In general, when working with timestamps in Splunk, unless you're doing some very unusual magic, you manipulate so called epoch or unix timestamps - numbers containing numbers of seconds since midnight Jan 1st 1970. So it's only natural to think in seconds when doing any timestamp manipulation comparison.

So you usually do it like this - if you want only those results in which a, let's say, start_time field is between 2 and 3 days ago you simply add

| where start_time>now() - 3*86400 AND start_time<now() - 2*86400

Of course you must have the field start_time as the numerical unix timestamp so if needed you have to parse your event's field with strptime()

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@jip31 - Is there a reason why you cannot use timerange as last 10 minutes only?

Is there any specific reason you want to use it in the search to calculate and filter by delta?

Can you please explain the requirement bit more?

0 Karma

jip31
Motivator

Hi

Yes because I already use an earliest and latest command in my search in ordre to filmer events between 7h and 18h

So in this slot of time only i need to count events which only existe sin ce 10 minutes or less

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...