Splunk Search

How to edit timestamp to one day previously?

jackreeves
Explorer

I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.

Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.

Thanks in advance.

0 Karma
1 Solution

mayurr98
Super Champion

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

View solution in original post

0 Karma

mayurr98
Super Champion

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

0 Karma

jackreeves
Explorer

Works perfectly. How would this work using chart command? Where Date is following format "Y/m/d" & is not the timestamp?

Search:
index=diags sourcetype=diags_closed_gdc
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Thanks,
Jack

0 Karma

mayurr98
Super Champion

Try this

index=diags sourcetype=diags_closed_gdc 
| eval Date=strftime(strptime(Date,"%Y/%m/%d")-86400,"%Y/%m/%d") 
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100
0 Karma

jackreeves
Explorer

Again that has worked perfectly!

Thank you so much for your help.

0 Karma

jackreeves
Explorer

index=diags sourcetype=diags_assigned
| timechart span=1d dc(Call No) as "Assigned"

This will provide me with following data for previous 7 days:
15/05/2018
14/05/2018
13/05/2018
12/05/2018
11/05/2018
10/05/2018
09/05/2018

However really the data for the 15/05/2018 should be 14/05/2018 & 14/05/2018 should be 13/05/2018 and so on. Essentially changing _time to -1d@d

0 Karma

mayurr98
Super Champion

can you provide search query?

0 Karma

jackreeves
Explorer

@mayurr98 - bizarrely can't see your latest comment but it has worked a charm 🙂

Answer:
index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"
| rename _time as time
| eval time=strftime(time-86400,"%Y-%m-%d")

Thanks both for your help

0 Karma

jackreeves
Explorer

index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"

However the timestamp is always one day in the future (i.e. 15/05/2018 should really be 14/05/2018). This is because I am using a "Report Date" field in my data, when the events are always -1d@d behind.

0 Karma

niketn
Legend

@jackreeves, if your current Time picker selection is Today i.e. earliest=@d and latest=now, you should change it to

earliest=-1d@d and latest=-1d@s

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...