Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how do I clac time out using eval

SasiB137
Engager
‎06-08-2015 03:47 PM

in,out,name
05-06-2015 11:37:04,05-06-2015 11:37:04 ,uid2
05-06-2015 11:36:06,,uid2

how do I do this,
If out time is not in the event and
OUT time > (current_time + 1hr) then mark status as TIMEOUT

lets say now is 05-06-2015 12:47:00 then expected output should be as

==================================
in,out,name
05-06-2015 11:37:04,05-06-2015 11:37:04 ,uid2 -> expected is -> LOGOUT

05-06-2015 11:36:06,,uid2 -> TIMEOUT

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 04:42 PM

Based on your comment:

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

This is the search (but it doesn't make any sense to me because now event should "happen after" now()):

... | eval outEpoch= strptime(out, "%m-%d-%Y %H:%M:%S") | eval status=if(outEpoch > (now() + 60*60), "TIMEOUT", "ACTIVE")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 04:42 PM

Based on your comment:

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

This is the search (but it doesn't make any sense to me because now event should "happen after" now()):

... | eval outEpoch= strptime(out, "%m-%d-%Y %H:%M:%S") | eval status=if(outEpoch > (now() + 60*60), "TIMEOUT", "ACTIVE")
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-08-2015 04:08 PM

Like this (probably not exactly what you need but I am having trouble comprehending your example; this should get you started anyway):

... | eval status=if(isnull(out), "TIMEOUT", "LOGOUT") | table in out name status
0 Karma
Reply
Solved! Jump to solution

SasiB137
Engager
‎06-08-2015 04:18 PM

OUT time > (current_time + 1hr) then mark status as TIMEOUT else 'ACTIVE'

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...