Splunk Search
Highlighted

How to find the time difference in days between the _time of an event and the current time?

SplunkTrust
SplunkTrust

Hi All,

I might be over thinking this one, but since I've already used time--> ...| stats earliest(time) as firstseen, latest(time) as lastseen, ... |, is it possible find the "currenttime"?

What I want to do is do something like ..| eval dayssince=(currenttime-last_seen)

Is this possible?

Thanks!

Tags (3)
0 Karma
Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

Community Manager
Community Manager

Hi @KolGr001

Are you looking for something like this?

...| eval dayssince=(now()-lastseen)

Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust
SplunkTrust

There are two eval functions for this, now() and time(). The major distinction is that now() will be stable over a long-running search while time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want now() like this:

... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")

I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.

View solution in original post

Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust
SplunkTrust

This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:

http://screencast.com/t/9yVnvtpl

I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:

| eval dayssincelasttxn=case(dayssincelasttxn=0,"Today",dayssincelasttxn=1,"1 Day",dayssincelasttxn>1, dayssincelast_txn."[".Days."]")

This didn't work for me, but do you have any insight on rounding by number of days?

Thank you!

0 Karma
Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust
SplunkTrust

So... this?

... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")
Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

SplunkTrust
SplunkTrust

Thank you!

0 Karma
Highlighted

Re: How to find the time difference in days between the _time of an event and the current time?

Legend

Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.

http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Reltime




| eval message="Happy Splunking!!!"


0 Karma