Splunk Search

How to format non-_time field as relative time?

Wilcooley
Path Finder

I would like to format a field other than _time as relative time, like the reltime command does for _time (and only for _time, as far as I can tell). The following seems like it should work, but does not:


(usual event search)
| fields since
| eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S")
| eval since_relative = "-" + tostring(round(now() - since_epoch,0)) + "s@s"
| eval since_relative2 = relative_time(now(), since_relative)
| table _time, since*

Here is the result:

_time since since_epoch since_relative since_relative2
1360674666.336103 2012-12-11 14:13:24.000000000 -0800 1355264004.000000 -5439049s@s 1355264004.000000
1360674664.507974 2013-01-10 17:09:47.027586083 -0800 1357866587.000000 -2836466s@s 1357866587.000000
1360674663.323016 2013-01-14 09:41:36.000000000 -0800 1358185296.000000 -2517757s@s 1358185296.000000
...

My guess is that relative_time does not like such a huge number of seconds and assumes there must be some error.

I am currently using version 4.3.2.

1 Solution

jonuwz
Influencer

What you seem to be doing is this :

since_epoch = a date in the past (in epoch seconds)
since_relative = now - since_epoch
since_relative2 = now - since_relative

SR2 = Now - SR
SR2 = Now - ( Now - SE )
SR2 = Now - Now + SE
SR2 = SE

This is completely correct.

relative_time takes an epoch time, you give it a "splunk" time modifier and it spits out a new epoch date

Do you perhaps want a duration ?

(usual event search) | fields since | eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S") | eval duration=tostring(now()-since_epoch,"duration") | table _time since duration

View solution in original post

0 Karma

Wilcooley
Path Finder

RFE: Please add a way to format arbitrary fields as a relative time text like reltime does for _time.

Looking at the source for reltime.py, it looks like it should be straightforward to add, although from a user's perspective it might be more obvious to look for this sort of thing in eval.

jonuwz
Influencer

What you seem to be doing is this :

since_epoch = a date in the past (in epoch seconds)
since_relative = now - since_epoch
since_relative2 = now - since_relative

SR2 = Now - SR
SR2 = Now - ( Now - SE )
SR2 = Now - Now + SE
SR2 = SE

This is completely correct.

relative_time takes an epoch time, you give it a "splunk" time modifier and it spits out a new epoch date

Do you perhaps want a duration ?

(usual event search) | fields since | eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S") | eval duration=tostring(now()-since_epoch,"duration") | table _time since duration
0 Karma

Wilcooley
Path Finder

Oh, I see now that relative_time is supposed to return an epoch date -- I had assumed it worked like reltime and produced a string like "N days ago" or "N months ago", which is what I want, not a duration.

So the short answer, I guess, is that I cannot cleanly do what I want.

If preserving the origin time were important, I could just save and restore _time with eval:
eval orig_time=_time
|eval _time=since_epoch
|...(reltime etc)...
|eval _time=orig_time

Thanks for validating that my logic was correct, aside from not carefully reading the doc about relative_time!

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...