Greetings Splunkers,
I have a lookup file that has a list of set jobs with a frequency timestamp (e.g. Mon-Fri @ 3:30) of when the job should be seen within Splunk. I'm wanting to create an eval that will allow me to match the index time of an event/job with its frequency timestamp.
The dilemma I'm having is incorporating a +/- 5 min time span into the matching criteria. Any assistance in figuring this out would be greatly appreciated.
| eval start=computedTime - 300, end=computedTime + 300
The +/- 5 minute bit is easy - just add or subtract 300 seconds from the computed timestamp. IMO, the hard part is converting "Mon-Fri @ 3:30" into a timestamp.
Hi @richgalloway ,
Can you possibly provide an example of how you'd incorporate your suggestion into the eval? Thank you.
| eval start=computedTime - 300, end=computedTime + 300
Thank you for the advice, I ended up incorporating your suggestion into my query as such:
| eval TimeMatch=if(((_time >= _time-300 OR _time <= _time+300) AND _time=ExptectedTime), "Match", "No Match")
This gave me the results I was hoping for. Thank you again!