Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine and compare current time?

metylkinandrey
Communicator
‎10-11-2022 03:44 AM

Friends, tell me how to be in the next task.
I have an alert time every two minutes.
I need to use this time, apparently something like this: now();
Next, I need to get the difference between the now() time and the time the last message (t). Let's call the difference between now() and t (t-now);
Enter the variable "interval" (inter), the value of which is 30 seconds;
Then, compare t-now and inter.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 04:04 AM

Hi @metylkinandrey,

you have to use the eval command, something like this:

<your_search>
| eval diff=now()-_time)
| where diff>30

If you could share your search I could be more detailed.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2022 04:09 AM

I'm not sure what you're after but maybe something like that.

index=test1 earliest=-1d@d
```Let's define now as the current timestamp```
| eval now=now()
```Now let's find when was the latest event in our base search```
| eventstats latest_time(index) AS latest_event_timestamp
```And finally calculate the interval```
| eval interval=now-latest_event_timestamp
```Since we only have one latest_event and one now we don't have to show all events; we could have done "stats latest_time values(now)" as well instead```
| stats values(now) values(latest_event_timestamp) values(interval)
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-11-2022 04:04 AM

Hi @metylkinandrey,

you have to use the eval command, something like this:

<your_search>
| eval diff=now()-_time)
| where diff>30

If you could share your search I could be more detailed.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2022 04:11 AM

@gcuselloBut searching this way is kinda pointless. You can as well do

<your_search> latest=-30s

And it makes much more sense (unless it's done way further down the pipeline where it actually might make sens if the _time comes from some heavy processing; otherwise let Splunk take care of time-based limiting).

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...