Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert Unix format and compare it with _time for given values of `savedsearch_name` and have a clear visualization

mo_shahin
Engager
‎12-07-2019 03:40 AM

I am trying to visualize the deviation between a correlation rule's scheduled time and the time it was run.
went through the index=_internal sourcetype=scheduler
and found the scheduled time in Unix timestamp format.

How can I convert Unix format and compare it with _time for given values of savedsearch_name and have a clear visualization (to present it for management)

0 Karma
Reply

to4kawa
Ultra Champion
‎12-07-2019 02:28 PM 
your search
|eval my_time= _time

Hi, @mo_shahin
try this, and check my_time. It is unnecessary to convert to Unix timestamp format.

and, Visualization....

index=_internal sourcetype=scheduler
| eval diff=_time - savedsearch_name
| table _time diff

try Line Chart

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...