Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

relative time question

cbr654
Path Finder
‎10-15-2021 12:48 PM

Hello,
There is a tube Splunk video on finding new service interactive logins here:
https://www.youtube.com/watch?v=bgIG2um_Hd0

The following line I just need a better understanding.

| eval isOutlier=if (earliest >= relative_time(now),  "-1d@d"), 1, 0)

I understand this much. It is an outlier (1) if :

  • The earliest time of the first event is greater or equal to the time you ran the search 

 

"-1d@d"  -->I am not understanding this part? Is it going back 1 day to find other matches that are also >= relative time (now)?   

You would only get an Outlier if the times are the same . If you go back "1d@d"    the earliest time of an event 1 day ago will never be equal to the the time you ran the event which is the relative _time(now).  How are the matches made when your going back 1d@d? I know I am thinking about this the wrong way. any assistance in understanding the logic would be greatly appreciated.

 

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

cbr654
Path Finder
‎10-17-2021 03:46 AM

thank you very much Rich. You explained it in a way that makes send to me

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top