Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

time compare

chaitup
New Member
‎11-08-2019 03:26 AM

Hi Guys,
We have a scheduled PowerShell script which will give the output in a log file which will have a status of “LastDirSyncTime” time in UTC time as below on every 15 minutes.

LastDirSyncTime : 08-11-2019 07:35:17

Now our requirement is;
Compare the LastDirSyncTime (which is in UTC) with my Splunk Computer’s current time (Which is in PST) and provide the time difference. Our main goal is to trigger an alert in Splunk when ever “LastDirSyncTime” is more than 30 minutes.
Can some one please provide me a query to extract the time difference in minutes so that we can configure the required alerts.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-08-2019 07:40 AM

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| stats max(_time) AS _time BY host
| eval age = now() - _time
| where age >= (30 * 60)

This will work fine if you were not lazy and you used the LastDirSyncTime as your event's _time. If you did not, then you will have to do it like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| stats latest(LastDirSyncTime) AS _time BY host
| eval _time = strptime(_time, "%m-%d-%Y %H:%M:%S")
| eval age = now() - _time
| where age >= (30 * 60)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2019 04:55 AM

To compare timestamps they must first be converted to epoch (integer) form. Then you can subtract them to get the difference in seconds. From there, simple math should get you the desired result.

... | eval eLastDirSyncTime=strptime(LastDirSyncTime, "%d-%m-%Y %H:%M:%S")
| eval diffMin = (now() - eLastDirSyncTime) / 60
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...