Splunk Search
Highlighted

How to edit timestamp to one day previously?

Explorer

I have a report running in SPLUNK on a daily basis. The timestamp for this report is the "Report Date" field (i.e. today). However, the events are actually from the previous day.

Therefore am I able to run a calculation either in the config file or at search time for ("Report Date"-1d@d). This would then mean the events are timestamped for the correct day.

Thanks in advance.

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

SplunkTrust
SplunkTrust

can you provide search query?

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Explorer

index=diags sourcetype=diagsassignedgdc
| timechart span=1d dc(Call No) as "Assigned"

However the timestamp is always one day in the future (i.e. 15/05/2018 should really be 14/05/2018). This is because I am using a "Report Date" field in my data, when the events are always -1d@d behind.

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Legend

@jackreeves, if your current Time picker selection is Today i.e. earliest=@d and latest=now, you should change it to

earliest=-1d@d and latest=-1d@s

Please try out and confirm!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Explorer

@mayurr98 - bizarrely can't see your latest comment but it has worked a charm 🙂

Answer:
index=diags sourcetype=diagsassignedgdc
| timechart span=1d dc(Call No) as "Assigned"
| rename _time as time
| eval time=strftime(time-86400,"%Y-%m-%d")

Thanks both for your help

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Explorer

index=diags sourcetype=diags_assigned
| timechart span=1d dc(Call No) as "Assigned"

This will provide me with following data for previous 7 days:
15/05/2018
14/05/2018
13/05/2018
12/05/2018
11/05/2018
10/05/2018
09/05/2018

However really the data for the 15/05/2018 should be 14/05/2018 & 14/05/2018 should be 13/05/2018 and so on. Essentially changing _time to -1d@d

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

SplunkTrust
SplunkTrust

Oh, I deleted it cause I thought that it would not work for you.

index=diags sourcetype=diags_assigned_gdc 
| timechart span=1d dc(Call No) as "Assigned" 
| rename _time as time 
| eval time=strftime(time-86400,"%Y-%m-%d")

Please accept it if it works for you.

View solution in original post

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Explorer

Works perfectly. How would this work using chart command? Where Date is following format "Y/m/d" & is not the timestamp?

Search:
index=diags sourcetype=diagsclosedgdc
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100

Thanks,
Jack

0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

SplunkTrust
SplunkTrust

Try this

index=diags sourcetype=diags_closed_gdc 
| eval Date=strftime(strptime(Date,"%Y/%m/%d")-86400,"%Y/%m/%d") 
| chart dc(Call No) as "Closures" over "Category" by "Date" useother=f limit=100
0 Karma
Highlighted

Re: How to edit timestamp to one day previously?

Explorer

Again that has worked perfectly!

Thank you so much for your help.

0 Karma