Hi All,
I might be over thinking this one, but since I've already used _time--> ...| stats earliest(_time) as first_seen, latest(_time) as last_seen, ... |, is it possible find the "current_time"?
What I want to do is do something like ..| eval days_since=(current_time-last_seen)
Is this possible?
Thanks!
There are two eval
functions for this, now()
and time()
. The major distinction is that now()
will be stable over a long-running search while time()
will yield a potentially new timestamp for every event/row/invocation... usually you'll want now()
like this:
... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")
I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.
Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime
There are two eval
functions for this, now()
and time()
. The major distinction is that now()
will be stable over a long-running search while time()
will yield a potentially new timestamp for every event/row/invocation... usually you'll want now()
like this:
... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")
I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.
So... this?
... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")
Thanks martin_mueller.
That also what I want.
Thank you!
This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:
http://screencast.com/t/9yVnvtpl
I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:
| eval days_since_last_txn=case(days_since_last_txn=0,"Today",days_since_last_txn=1,"1 Day",days_since_last_txn>1, days_since_last_txn."[".Days."]")
This didn't work for me, but do you have any insight on rounding by number of days?
Thank you!