Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to not evaluate something during a certain time period?

kdimaria
Communicator
‎10-13-2017 07:03 AM

So, I have a search query that calculates a field but I wanted to know if there is a way to check if it is a certain time period and then to not calculate that field. I have a start time and end time: for example: 10/13/2017 12:10:00 and end time 10/20/2017 14:20:00. And I wanted to change the eval so that if the current time matches that time field then to make a different calculation than what its currently calculating. Basically eval field=if("in time frame",new calculation, old calculation)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2017 07:24 AM

Hi kdimaria,
you could try something like this (if my_time is the field name in your logs but not _time):

| eval field=if(my_time>earliest AND my_time<latest,new calculation, old calculation)

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2017 07:24 AM

Hi kdimaria,
you could try something like this (if my_time is the field name in your logs but not _time):

| eval field=if(my_time>earliest AND my_time<latest,new calculation, old calculation)

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...