Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What's the output of the following eval and now() function query?

bishtk
Communicator
‎08-31-2018 09:21 AM

Hi All,

Could you please help me here in confirming what would be the output of the below eval command?

"eval age = (now() - _time )"

Would the output be in minutes or seconds?

Thanks in advance,

0 Karma
Reply

Shan
Builder
‎08-31-2018 11:22 PM

@kundanbisht,

Let me tell you what exactly happens here.

eval age = (now() - _time )

now() is a splunk function gives you current time in epoc format(Unix time, data eg =1535779569).epoc time will be in seconds.
_time is your splunk indexing time (data eg=2018-09-01 07:26:09)
your trying to minus epoc time from datetime format it's possible .
please find the sample example below. If your now and _time is same you will get zero at age field..

| makeresults
 | eval epoctime=now()+1800
 | eval age = epoctime-_time
 | eval age1 = now()-_time
 | eval epoc_to_Datetime_format=strftime(epoctime,"%Y-%m-%d %H:%M:%S")
 | eval Datetime_to_Epoc_format=round(strptime(strftime(_time,"%Y-%m-%d %H:%M:%S"),"%Y-%m-%d %H:%M:%S"),0)
 | table epoctime epoc_to_Datetime_format _time Datetime_to_Epoc_format age age1

Thanks 🙂 ...

0 Karma
Reply

Shan
Builder
‎09-03-2018 10:34 PM

@kundanbisht,

Do you got your expected answers from above points ..

0 Karma
Reply

bishtk
Communicator
‎08-31-2018 09:55 AM

alt text

Preview file
14 KB
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎08-31-2018 09:42 AM

@kundanbisht,

You will get a difference in second.

| makeresults  | eval age=now()-_time

Thanks

0 Karma
Reply

bishtk
Communicator
‎08-31-2018 09:55 AM

Hi @kamlesh_vaghela, this query result always gives 0 as output. How to figure out if its in seconds or minutes?

_time age
2018-08-31 12:52:29 0

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-01-2018 06:29 AM

@kundanbisht,
My given search is just an example.

Please try below for your data

index=your_index | eval age=now()-_time
0 Karma
Reply

bishtk
Communicator
‎09-03-2018 12:49 AM

Thank you @kamlesh_vaghela. Yes verified with the local data now. Its in seconds 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...