Splunk Search

How to find the time difference in days between the _time of an event and the current time?

_gkollias
SplunkTrust
SplunkTrust

Hi All,

I might be over thinking this one, but since I've already used _time--> ...| stats earliest(_time) as first_seen, latest(_time) as last_seen, ... |, is it possible find the "current_time"?

What I want to do is do something like ..| eval days_since=(current_time-last_seen)

Is this possible?

Thanks!

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

View solution in original post

niketn
Legend

Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

martin_mueller
SplunkTrust
SplunkTrust

So... this?

... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")

Rithekakan
Path Finder

Thanks martin_mueller.

That also what I want.

0 Karma

_gkollias
SplunkTrust
SplunkTrust

Thank you!

0 Karma

_gkollias
SplunkTrust
SplunkTrust

This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:

http://screencast.com/t/9yVnvtpl

I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:

| eval days_since_last_txn=case(days_since_last_txn=0,"Today",days_since_last_txn=1,"1 Day",days_since_last_txn>1, days_since_last_txn."[".Days."]")

This didn't work for me, but do you have any insight on rounding by number of days?

Thank you!

0 Karma

ppablo
Retired

Hi @_gkollias

Are you looking for something like this?

...| eval days_since=(now()-last_seen)

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...