I would like to format a field other than
_time as relative time, like the
reltime command does for
_time (and only for
_time, as far as I can tell). The following seems like it should work, but does not:
(usual event search)
| fields since
| eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S")
| eval since_relative = "-" + tostring(round(now() - since_epoch,0)) + "s@s"
| eval since_relative2 = relative_time(now(), since_relative)
| table _time, since*
Here is the result:
_time since since_epoch since_relative since_relative2
1360674666.336103 2012-12-11 14:13:24.000000000 -0800 1355264004.000000 -5439049s@s 1355264004.000000
1360674664.507974 2013-01-10 17:09:47.027586083 -0800 1357866587.000000 -2836466s@s 1357866587.000000
1360674663.323016 2013-01-14 09:41:36.000000000 -0800 1358185296.000000 -2517757s@s 1358185296.000000
My guess is that
relative_time does not like such a huge number of seconds and assumes there must be some error.
I am currently using version 4.3.2.
What you seem to be doing is this :
sinceepoch = a date in the past (in epoch seconds)
sincerelative = now - sinceepoch
sincerelative2 = now - since_relative
SR2 = Now - SR
SR2 = Now - ( Now - SE )
SR2 = Now - Now + SE
SR2 = SE
This is completely correct.
relative_time takes an epoch time, you give it a "splunk" time modifier and it spits out a new epoch date
Do you perhaps want a duration ?
(usual event search) | fields since | eval since_epoch = strptime(since, "%Y-%m-%d %H:%M:%S") | eval duration=tostring(now()-since_epoch,"duration") | table _time since duration
Oh, I see now that
relative_time is supposed to return an epoch date -- I had assumed it worked like
reltime and produced a string like "N days ago" or "N months ago", which is what I want, not a duration.
So the short answer, I guess, is that I cannot cleanly do what I want.
If preserving the origin time were important, I could just save and restore
Thanks for validating that my logic was correct, aside from not carefully reading the doc about
RFE: Please add a way to format arbitrary fields as a relative time text like
reltime does for
Looking at the source for
reltime.py, it looks like it should be straightforward to add, although from a user's perspective it might be more obvious to look for this sort of thing in