I have a search where I have been using "latesttime=-2d@d" to specify the time range, like so:
... latesttime=-2d@d
This works great, but now, however, I wish to change this to an absolute date, not relative to the time the search is made. I understand I could use the following pattern:
... _time<=123456789
But I would really like to avoid explicitly stating an epoch time if I can. Is there a function to eval that I'm missing that allows me to convert a date-string into epoch time that I could use, or is there some other pattern altogether that I should be using?
To expand somewhat on the use case in question:
The search itself needs to contain two different timespans, a search that will use |accum over a large timespan, and then charting all changes to it during another specific timespan. My approach is thus:
... earliest=-6mon latest="$end$" | timechart eval(sum(x)-sum(y)) as x | accum x as total | eval start="$start$" | convert mktime(start) | where _time>=start
Where $end$ and $start$ are supplied by the user in a form search.
The thinking is that we accumulate a starting value for our total-field that reaches far in the past. However, when we want to plot this, we are only interested in what value total had within a certain time window ($start, $end).
I hope that sheds some light on the problem, and as you can see, this current approach includes both the suggestions of gkanapathy and Simeon. It is, however a shame to note, that $end$ and $start$ here require different time formats (one of them needs ":" between YYYY and HH, while the other requires a space)
You can simply express a time parameter like this:
sourcetype=xyz latest="05/31/2010:11:28:12"
to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:
sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"
Note that timeformat
must come before the time in the search string.
Added a longer description of the usecase.
NOTE: If you're using the UI, i really recommend sticking with the absolute time functionality in TimeRangePicker > Custom Time. If you use time terms in the searchstring the UI will nag you about it with that little blue bar from now to eternity.
You can simply express a time parameter like this:
sourcetype=xyz latest="05/31/2010:11:28:12"
to specify an absolute time. Sorry, US date format. If you want a different one, you can do this:
sourcetype=xyz timeformat="%Y-%m-%dT%H:%M:%S" latest="2010-06-15T12:34:56"
Note that timeformat
must come before the time in the search string.
If you can detail your exact data set and use case, the answer will be that much more detailed.
You would use the convert command with mktime function:
... | convert mktime(your_time_field)
More details here:
http://www.splunk.com/base/Documentation/latest/SearchReference/Convert
The opposite command is the ctime function.