- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search earliest"-10m" based on a datetime field from the event and not from the indexed time
Hi,
i want to search the events from the last 10 minutes based on the secondary datetime field from a event.
Normal Search with Index time:
earliest="-10m" index="xxx" source="xxx"
Spezial Search with Event time:
earliest(from DateTime Field)="-10m" index="xxx" source="xxx" ???
Thank You
Christoph
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey criedman,
You can try something like this:
index="xxx" source="xxx" |eval currenttime=now() |eval a=currenttime-36000 |search datetimefield >a
In this case,you will be comparing the currenttime-10mins which gives a in epoch of 10 mins earlier.Also please make sure you convert the datetimefield in epoch as well.
Let me know if this works!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you should do is set your timestamp recognition up properly so that the time Splunk is registering is the one from your event contents, not when the event was indexes. Splunk has two different fields for time: _indextime which is always when the event was indexed, and _time which is the time registered for the event. Typically this is retrieved by parsing a timpestamp from the event data. See more information available in the docs here: https://docs.splunk.com/Documentation/Splunk/7.1.1/Data/Configuretimestamprecognition
