Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with adding if condition between time

srinivasgowda
Explorer
‎03-26-2021 04:24 AM

Hello all,

blacklist   blackout_end               blackout_start
1              1616756907                  1616756427
1              1616756907                  1616756427

 

I am trying to add the value for blacklist, where if the _time > blackout_start AND < blackout_end then blacklist=1 else 0.  

Please help in getting the right answer.

 

Thanks.

Labels (3)
0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 05:03 AM

Hi

first you need to convert your timestamp in epoch

| eval epoch=strftime(_time, "%s") 

after this you can create your if condition, below you find the eval convertion and eval condition

| eval epoch=strftime(_time, "%s") | eval blacklist=if(blacklist_start > epoch AND epoch < blacklist_end,"1","0")

would be nice if you confirm the solution

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

rnowitzki
Builder
‎03-26-2021 05:25 AM

_time is stored as epoch internally and you can use it like that.
No need to convert it prior to the conditional eval.

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 05:29 AM

epoch is stored on _time field but to works need convertions or blacklist_start/end field or time.

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

rnowitzki
Builder
‎03-26-2021 05:36 AM

Nope, you can use it as-is.

Doesn't really matter in this case, but I wanted to be sure I don't tell BS and tested it (again) 🙂 :

epoch_time_usage.PNG

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply

rnowitzki
Builder
‎03-26-2021 05:01 AM

Hi @srinivasgowda ,

Try this

| eval blacklist=if(_time > blackout_start AND _time < blackout_end,1,0)

 

Hope it works for you.
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...