- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to format non-_time field as relative time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to format a field other than _time as relative time, like the reltime command does for _time (and only for _time, as far as I can tell). The following seems like it should work, but does not:
(usual event search)
| fields since
| eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S")
| eval since_relative = "-" + tostring(round(now() - since_epoch,0)) + "s@s"
| eval since_relative2 = relative_time(now(), since_relative)
| table _time, since*
Here is the result:
_time since since_epoch since_relative since_relative2
1360674666.336103 2012-12-11 14:13:24.000000000 -0800 1355264004.000000 -5439049s@s 1355264004.000000
1360674664.507974 2013-01-10 17:09:47.027586083 -0800 1357866587.000000 -2836466s@s 1357866587.000000
1360674663.323016 2013-01-14 09:41:36.000000000 -0800 1358185296.000000 -2517757s@s 1358185296.000000
...
My guess is that relative_time does not like such a huge number of seconds and assumes there must be some error.
I am currently using version 4.3.2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you seem to be doing is this :
since_epoch = a date in the past (in epoch seconds)
since_relative = now - since_epoch
since_relative2 = now - since_relative
SR2 = Now - SR
SR2 = Now - ( Now - SE )
SR2 = Now - Now + SE
SR2 = SE
This is completely correct.
relative_time takes an epoch time, you give it a "splunk" time modifier and it spits out a new epoch date
Do you perhaps want a duration ?
(usual event search) | fields since | eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S") | eval duration=tostring(now()-since_epoch,"duration") | table _time since duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RFE: Please add a way to format arbitrary fields as a relative time text like reltime does for _time.
Looking at the source for reltime.py, it looks like it should be straightforward to add, although from a user's perspective it might be more obvious to look for this sort of thing in eval.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you seem to be doing is this :
since_epoch = a date in the past (in epoch seconds)
since_relative = now - since_epoch
since_relative2 = now - since_relative
SR2 = Now - SR
SR2 = Now - ( Now - SE )
SR2 = Now - Now + SE
SR2 = SE
This is completely correct.
relative_time takes an epoch time, you give it a "splunk" time modifier and it spits out a new epoch date
Do you perhaps want a duration ?
(usual event search) | fields since | eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S") | eval duration=tostring(now()-since_epoch,"duration") | table _time since duration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, I see now that relative_time is supposed to return an epoch date -- I had assumed it worked like reltime and produced a string like "N days ago" or "N months ago", which is what I want, not a duration.
So the short answer, I guess, is that I cannot cleanly do what I want.
If preserving the origin time were important, I could just save and restore _time with eval:
eval orig_time=_time
|eval _time=since_epoch
|...(reltime etc)...
|eval _time=orig_time
Thanks for validating that my logic was correct, aside from not carefully reading the doc about relative_time!
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
