Splunk Search

How to find the time difference in days between the _time of an event and the current time?

_gkollias
SplunkTrust
SplunkTrust

Hi All,

I might be over thinking this one, but since I've already used _time--> ...| stats earliest(_time) as first_seen, latest(_time) as last_seen, ... |, is it possible find the "current_time"?

What I want to do is do something like ..| eval days_since=(current_time-last_seen)

Is this possible?

Thanks!

Tags (3)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

View solution in original post

niketnilay
Legend

Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

So... this?

... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")

_gkollias
SplunkTrust
SplunkTrust

Thank you!

0 Karma

_gkollias
SplunkTrust
SplunkTrust

This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:

http://screencast.com/t/9yVnvtpl

I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:

| eval days_since_last_txn=case(days_since_last_txn=0,"Today",days_since_last_txn=1,"1 Day",days_since_last_txn>1, days_since_last_txn."[".Days."]")

This didn't work for me, but do you have any insight on rounding by number of days?

Thank you!

0 Karma

ppablo
Community Manager
Community Manager

Hi @_gkollias

Are you looking for something like this?

...| eval days_since=(now()-last_seen)

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!