Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with adding if condition between time

srinivasgowda
Explorer
‎03-26-2021 04:24 AM

Hello all,

blacklist   blackout_end               blackout_start
1              1616756907                  1616756427
1              1616756907                  1616756427

 

I am trying to add the value for blacklist, where if the _time > blackout_start AND < blackout_end then blacklist=1 else 0.  

Please help in getting the right answer.

 

Thanks.

Labels (3)
0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 05:03 AM

Hi

first you need to convert your timestamp in epoch

| eval epoch=strftime(_time, "%s") 

after this you can create your if condition, below you find the eval convertion and eval condition

| eval epoch=strftime(_time, "%s") | eval blacklist=if(blacklist_start > epoch AND epoch < blacklist_end,"1","0")

would be nice if you confirm the solution

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

rnowitzki
Builder
‎03-26-2021 05:25 AM

_time is stored as epoch internally and you can use it like that.
No need to convert it prior to the conditional eval.

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

aasabatini
Motivator
‎03-26-2021 05:29 AM

epoch is stored on _time field but to works need convertions or blacklist_start/end field or time.

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply

rnowitzki
Builder
‎03-26-2021 05:36 AM

Nope, you can use it as-is.

Doesn't really matter in this case, but I wanted to be sure I don't tell BS and tested it (again) 🙂 :

epoch_time_usage.PNG

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply

rnowitzki
Builder
‎03-26-2021 05:01 AM

Hi @srinivasgowda ,

Try this

| eval blacklist=if(_time > blackout_start AND _time < blackout_end,1,0)

 

Hope it works for you.
BR
Ralph

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...