Hello. I am trying to find the amount time that has passed from the time and event occurred to the present (now()). I tried subtracting the time of the event from the current time, but I got an Epoch time value that gives me times in the 1970s. What conversions do I have to make to have Splunk tell me something happened 30 hours ago and not 30 years?
Thanks for your help
Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.
... | fieldformat timeField = tostring(timeField,"duration")
Well you have the time of the event as _time field, and you can use now()
in eval expressions, so you can make a field, let's call it secondsAgo, like so:
| eval secondsAgo=now() - _time
It is of course just a number of seconds. IF you were to do | convert ctime(secondsAgo)
, that would be weird because you're asking Splunk to tell you what time it would be if this number of seconds were defined as "the number of seconds since 1/1/1970 in GMT", which.... is generally a random time in 1970.
What you probably want to do after getting secondsAgo as an integer, is convert it to an "HH:MM:SS" duration string, like so:
| eval secondsAgo=now() - _time | eval durationStr=tostring(secondsAgo,"duration")
or if you prefer it in one eval expression,
| eval secondsAgoStr=tostring(now() - _time, "duration")
Thanks! This is worthy of acceptance for the Answer, but rich7177 posted his Answer-acceptance worthy reply first, and therefore must get credit. I hope my grattitude will suffice in lieu of Karma points!
hehe. Sure no problem. He and I were writing our answers at the same time. Unaccepting answers and accepting others happens all the time but in this case they are both right so it matters little. Cheers.
Your subtraction was probably right, but it is no longer an epoch time after that but is instead a duration. Something like the below may help, and will give you a few keywords to search on if it is only close to your needs.
... | fieldformat timeField = tostring(timeField,"duration")
Thanks! I was not picking up on that important detail.