Solved: Is there a conversion function for time modifiers?

johnraftery · ‎02-26-2016

Hi, I'm using a time picker which gives you a start and end token as time modifiers (eg "-2d@d - now" for the last two days). See http://docs.splunk.com/Documentation/Splunk/6.3.3/Search/Specifytimemodifiersinyoursearch

Is there a function to convert the time modifier into an absolute time (ie 1456312200 - 1456482900)? I know I can put the time modifiers into the earliest and latest tags of my query, but I'm actually querying a lookup table so there is no _time field to base it on; I need to restrict the time in the query itself.

Thanks,
John

richgalloway · ‎02-26-2016

Try the relative_time() function. For example,

... | eval absTime = relative_time(now(), $start$) | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-26-2016

Try the relative_time() function. For example,

... | eval absTime = relative_time(now(), $start$) | ...

---
If this reply helps you, Karma would be appreciated.

johnraftery · ‎02-26-2016

That's the one, thanks!

javiergn · ‎02-26-2016

Hi,

Sorry I'm not too sure what you are referring to.
Please take a look at the relative_time() function and let me know if that's what you are looking:

http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Commonevalfunctions#Date_and_Time_...

johnraftery · ‎02-26-2016

That's the one, thanks!

Is there a conversion function for time modifiers?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform