Solved: Re: Relative_time() and convert() Function

vasanthmss · ‎12-18-2014

Hi Splunkers,

when i'm running first Search returns getting zero value where as second Search giving correct value. Explain me how its working,

Search 1:

|stats count | eval next_time=relative_time(now(),"-45y")

Search 2:

|stats count | eval next_time=relative_time(now(),"-45y")| convert ctime(*_time)

V

vasanthmss · ‎12-19-2014

This behaviour is because of this issue http://answers.splunk.com/answers/204021/limitation-in-relative-time-function.html

V

View solution in original post

vasanthmss · ‎12-19-2014

This behaviour is because of this issue http://answers.splunk.com/answers/204021/limitation-in-relative-time-function.html

V

fdi01 · ‎12-19-2014

so see your command eval = next_time relative_time (now (), "- 45y") will provide no results that eventually you converted,
because if you run these commands get the same result
|stats count | eval next_time=relative_time(now(),"-45y")| convert ctime(_time)

or |stats count | convert ctime(_time)

kml_uvce · ‎12-19-2014

In first search its zero as its epoch time (start time) and when you are converting this epoch time in second search then its giving in date format
http://en.wikipedia.org/wiki/Unix_time

kamal singh bisht

Relative_time() and convert() Function

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation