![]() These are automatically calculated for most types of event, apart from Windows EventLogs. OR if these dates actually are the same, or nearly the same, as the time of the event, you may be happy with using the built-in fields date_month, date_hour, date_mday, date_second etc. ' 11:22:33', into epoch, with the string being described by Y. skip the 2013- part) and read 5 characters, i.e. strptime (X,Y) will convert a string X, e.g. Which will take the field ( CloseDateTime) jump to offset 5 (i.e. Im trying to create a timechart at intervals of one moth however the below code produces the sum of the entire month, I want the value on the 1st of each month,please let me know any solutions to. Of course, there is more than one way to do it, one of which is to use eval's substr() function to operate on the string CloseDateTime directly (if you are happy with how it looks, and just want to strip off a few parts). In this case Month-Day will be stored in the new field ' cd'. The inner function - strptime() - converts your string to epoch, and the outer - strftime() - converts/extracts the parts you want, and in what order from the epoch. Well, since you have the CloseTimeDate as a string, you can do the calculations pretty much as described above all done in one eval sourcetype="TicketAnalysis" See the following resources for more info Go to Manager Access controls Users to set this for users, or to Manager Your account to set the timezone for yourself. In Splunk 4.3, each user can choose their own timezone for viewing the data/reports/etc. startmonth will be '03' (for March) for the event above. Do this in the OS, and Splunk will render the timezone in UTC by default. Now start and end is in epoch (an integer), dur is also an integer (the number of seconds between the two dates). Add the following lines | eval startmonth = stfrtime(start, "%m") Then you want to calculate how many transaction that started in March. | eval start=strptime(startdate,"%m/%d/%Y") This event looks like 11:22:33 transactionid=123 startdate= enddate= You want to calculate the difference between two timestamps in an event. Strftime(X,Y) will convert an epoch timestamp (X) into a string, defined by Y. " 11:22:33", into epoch, with the string being described by Y Note- The 'timestamp' ODATE is not the actual timestamp for the log and so I can't. What's the best way to convert it to the day of week For example if I had a field called ODATE then I'd want a field called ODAYOFWEEKTuesday. I want to create 2 fields, one with todays date so I have that one eval todaydatestrftime(now(),'B d, Y') and the second one where I want to subtract 30days from that date. I have a Field that contains values in the YYYY-MM-DD. Strptime(X,Y) will convert a string X, e.g. Hi guys, Probably very simple question but I just tangled myself in the logic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |