Splunk Search

time difference of events

msachdeva3
Explorer

eval test_time = time() - _time | search (test_time > 1800 AND test_time < 86400)|

I'm trying to see if the events in my logs(when i run query should be more than 30 mins & less than 24 hrs old) from the time they logged?

is the condition right?

Tags (1)
0 Karma

DalJeanis
Legend

gpradeepkumarreddy's answer is probably the most useful way to do that.

If you wanted to do it in code, your code is close to correct as far as it goes, since epoch time is calculated in seconds. However, you probably want to use the now() function rather than time(), since it will give a single result for the entire search, as opposed to being calculated at a different microsecond for each event.

0 Karma

pradeepkumarg
Influencer

You can use the time picker or mention earliest and latest as below in your search


earliest=-24h latest=-30m

Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...