Need help with adding if condition between time

srinivasgowda · ‎03-26-2021

Hello all,

blacklist blackout_end blackout_start
1 1616756907 1616756427
1 1616756907 1616756427

I am trying to add the value for blacklist, where if the _time > blackout_start AND < blackout_end then blacklist=1 else 0.

Please help in getting the right answer.

Thanks.

aasabatini · ‎03-26-2021

Hi

first you need to convert your timestamp in epoch

| eval epoch=strftime(_time, "%s")

after this you can create your if condition, below you find the eval convertion and eval condition

| eval epoch=strftime(_time, "%s") | eval blacklist=if(blacklist_start > epoch AND epoch < blacklist_end,"1","0")

would be nice if you confirm the solution

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

rnowitzki · ‎03-26-2021

_time is stored as epoch internally and you can use it like that.
No need to convert it prior to the conditional eval.

--
Karma and/or Solution tagging appreciated.

aasabatini · ‎03-26-2021

epoch is stored on _time field but to works need convertions or blacklist_start/end field or time.

Regards

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

rnowitzki · ‎03-26-2021

Nope, you can use it as-is.

Doesn't really matter in this case, but I wanted to be sure I don't tell BS and tested it (again) 🙂 :

BR
Ralph

--
Karma and/or Solution tagging appreciated.

rnowitzki · ‎03-26-2021

Hi @srinivasgowda ,

Try this

| eval blacklist=if(_time > blackout_start AND _time < blackout_end,1,0)

Hope it works for you.
BR
Ralph

--
Karma and/or Solution tagging appreciated.

Are you a member of the Splunk Community?