Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

relative time question

cbr654
Path Finder
‎10-15-2021 12:48 PM

Hello,
There is a tube Splunk video on finding new service interactive logins here:
https://www.youtube.com/watch?v=bgIG2um_Hd0

The following line I just need a better understanding.

| eval isOutlier=if (earliest >= relative_time(now),  "-1d@d"), 1, 0)

I understand this much. It is an outlier (1) if :

  • The earliest time of the first event is greater or equal to the time you ran the search 

 

"-1d@d"  -->I am not understanding this part? Is it going back 1 day to find other matches that are also >= relative time (now)?   

You would only get an Outlier if the times are the same . If you go back "1d@d"    the earliest time of an event 1 day ago will never be equal to the the time you ran the event which is the relative _time(now).  How are the matches made when your going back 1d@d? I know I am thinking about this the wrong way. any assistance in understanding the logic would be greatly appreciated.

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

cbr654
Path Finder
‎10-17-2021 03:46 AM

thank you very much Rich. You explained it in a way that makes send to me

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...