Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

relative time question

cbr654
Path Finder
‎10-15-2021 12:48 PM

Hello,
There is a tube Splunk video on finding new service interactive logins here:
https://www.youtube.com/watch?v=bgIG2um_Hd0

The following line I just need a better understanding.

| eval isOutlier=if (earliest >= relative_time(now),  "-1d@d"), 1, 0)

I understand this much. It is an outlier (1) if :

  • The earliest time of the first event is greater or equal to the time you ran the search 

 

"-1d@d"  -->I am not understanding this part? Is it going back 1 day to find other matches that are also >= relative time (now)?   

You would only get an Outlier if the times are the same . If you go back "1d@d"    the earliest time of an event 1 day ago will never be equal to the the time you ran the event which is the relative _time(now).  How are the matches made when your going back 1d@d? I know I am thinking about this the wrong way. any assistance in understanding the logic would be greatly appreciated.

 

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2021 01:02 PM

Let's look at it from the inside out (a la Excel's Evaluate Formula feature).

| eval isOutlier=if (earliest >= relative_time(now(),  "-1d@d"), 1, 0)

expands to

| eval isOutlier=if (earliest >= relative_time(2021-10-15T15:55:00, "-1d@d"), 1, 0)

The relative_time function works with epoch timestamps, but I'm using text timestamps for understandability. 

The "-1d@d" argument to relative_time says to subtract 1 day from the first argument and round off to the beginning of the day.  That gives us

| eval isOutlier=if (earliest >= 2021-10-14T00:00:00, 1, 0)

 Now we're left with a simple if-then-else.  We compare the value of the earliest field to the computed timestamp.  If earliest is greater than or equal to the timestamp then it's a newer event and isOutlier is set to 1; otherwise it is set to zero.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

cbr654
Path Finder
‎10-17-2021 03:46 AM

thank you very much Rich. You explained it in a way that makes send to me

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top