Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What's the output of the following eval and now() function query?

bishtk
Communicator
‎08-31-2018 09:21 AM

Hi All,

Could you please help me here in confirming what would be the output of the below eval command?

"eval age = (now() - _time )"

Would the output be in minutes or seconds?

Thanks in advance,

0 Karma
Reply

Shan
Builder
‎08-31-2018 11:22 PM

@kundanbisht,

Let me tell you what exactly happens here.

eval age = (now() - _time )

now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.
_time is your splunk indexing time (data eg=2018-09-01 07:26:09)
your trying to minus epoc time from datetime format it's possible .
please find the sample example below. If your now and _time is same you will get zero at age field..

| makeresults
 | eval epoctime=now()+1800
 | eval age = epoctime-_time
 | eval age1 = now()-_time
 | eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S")
 | eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0)
 | table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1

Thanks 🙂 ...

0 Karma
Reply

Shan
Builder
‎09-03-2018 10:34 PM

@kundanbisht,

Do you got your expected answers from above points ..

0 Karma
Reply

bishtk
Communicator
‎08-31-2018 09:55 AM

alt text

makeresults.png
Preview file
14 KB
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-31-2018 09:42 AM

@kundanbisht,

You will get a difference in second.

| makeresults  | eval age=now()-_time

Thanks

0 Karma
Reply

bishtk
Communicator
‎08-31-2018 09:55 AM

Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?

_time age
2018-08-31 12:52:29 0

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-01-2018 06:29 AM

@kundanbisht,
My given search is just an example.

Please try below for your data

index=your_index | eval age=now()-_time
0 Karma
Reply

bishtk
Communicator
‎09-03-2018 12:49 AM

Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds 🙂

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...
li.common.scroll-to.top