Splunk Search

Minutes between most recent event date and now

aleem
SplunkTrust
SplunkTrust

I have a field called fldTimeStamp which I use to hold the date in which events were raised rather than what date I imported them in to Splunk. This works great. However, I need to know if the most recent fldTimeStamp is more than 20 minutes old.
I can use "head 1 | fields timestamp fldTimeStamp | eval fldNow = time() | convert ctime(fldNow)" to get the current time. However, I am struggling to subtract fldTimeStamp from now (fldNow).

Presumably, I need to do some evals and converts.

Any ideas how to do this?

Be the best version of you
Tags (3)
0 Karma

carmackd
Communicator

you can use the convert command to turn your fldTimeStamp field into epoch time then subtract it from your now() eval. example

| convert timeformat="%Y %D" mktime(fldTimeStamp) AS epoch_fldTimeStamp | eval fldNow=now() | eval age=fldNow-epoch_fldTimeStamp | where age < 1800

NOTE: use this link to get the correct time directives for your timeformat

http://www.tutorialspoint.com/python/time_strptime.htm

kristian_kolb
Ultra Champion

What is the format of fldTimeStamp? epoch? YYYY-mm-dd HH:MM:SS?

It's quite easy to craft a search that will show the age of the most recent event.

/k

0 Karma

aleem
SplunkTrust
SplunkTrust

I really want to know if the latest event is less than 30 minutes old, so I guess I could simply use the following;

sourcetype="myhost" earliest=-30m | head 1

Zero results would mean that there are no events in the past 30 minutes.

Be the best version of you
0 Karma
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...