Splunk Search

How to edit timestamp to one day previously?

jackreeves
Explorer

I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.

Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.

Thanks in advance.

0 Karma
1 Solution

mayurr98
Super Champion

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

View solution in original post

0 Karma

mayurr98
Super Champion

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

0 Karma

jackreeves
Explorer

Works perfectly. How would this work using chart command? Where Date is following format "Y/m/d" & is not the timestamp?

Search:
index=diags sourcetype=diags_closed_gdc
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Thanks,
Jack

0 Karma

mayurr98
Super Champion

Try this

index=diags sourcetype=diags_closed_gdc 
| eval Date=strftime(strptime(Date,"%Y/%m/%d")-86400,"%Y/%m/%d") 
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100
0 Karma

jackreeves
Explorer

Again that has worked perfectly!

Thank you so much for your help.

0 Karma

jackreeves
Explorer

index=diags sourcetype=diags_assigned
| timechart span=1d dc(Call No) as "Assigned"

This will provide me with following data for previous 7 days:
15/05/2018
14/05/2018
13/05/2018
12/05/2018
11/05/2018
10/05/2018
09/05/2018

However really the data for the 15/05/2018 should be 14/05/2018 & 14/05/2018 should be 13/05/2018 and so on. Essentially changing _time to -1d@d

0 Karma

mayurr98
Super Champion

can you provide search query?

0 Karma

jackreeves
Explorer

@mayurr98 - bizarrely can't see your latest comment but it has worked a charm 🙂

Answer:
index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"
| rename _time as time
| eval time=strftime(time-86400,"%Y-%m-%d")

Thanks both for your help

0 Karma

jackreeves
Explorer

index=diags sourcetype=diags_assigned_gdc
| timechart span=1d dc(Call No) as "Assigned"

However the timestamp is always one day in the future (i.e. 15/05/2018 should really be 14/05/2018). This is because I am using a "Report Date" field in my data, when the events are always -1d@d behind.

0 Karma

niketn
Legend

@jackreeves, if your current Time picker selection is Today i.e. earliest=@d and latest=now, you should change it to

earliest=-1d@d and latest=-1d@s

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...