Usage of Functions in SPLUNK: RELATIVE_TIME

Usage of Functions in SPLUNK: RELATIVE_TIME

  • This function takes the UNIX time.
  • This function takes the two argument.
  • X as first argument and Y as a second argument, a relative time specifier.
  • It returns the UNIX time value of Y applied to the X
Find below the skeleton of the  usage of the function “relative_time” in  splunk.

….| eval New_Field=relative_time(X,Y)

Example 1:

index=”nissan” sourcetype=”csv”
| table Opened
| eval EpochOpened=strptime(Opened,”%m/%d/%Y %H:%M”)
| eval A=relative_time(EpochOpened,”-2d”)
| eval 2DaysBefore=strftime(A,”%c”)
| fields – A,Epoch*

Result :

2db

Explanation:

In the above query “Opened” is the existing field name in “nissan” index and sourcetype name is “csv”.

At first we have taken the “Opened” field with the “table” command .

Then we have converted the “Opened”  field to the epochtime by the “strptime” function and taken into the “EpochOpened” field.By the “relative_time” function we have taken the 2 days before date from the “Opened” field and taken into the “A”.Now again by the “sprftime” function we have formatted the epochtime to humanredable format and put it into the “2DaysBefore” field.At last by the “fields” command we have exclude the “A” and “EpochOpened” field from the result set.

*************************************************************************************

Example 2:

index=”nissan” sourcetype=”csv”
| table Opened
| eval EpochOpened=strptime(Opened,”%m/%d/%Y %H:%M”)
| eval A=relative_time(EpochOpened,”+2d”)
| eval 2DaysAfter=strftime(A,”%c”)
| fields – A,Epoch*

Result:

2da

Explanation:

In the above query “Opened” is the existing field name in “nissan” index and sourcetype name is “csv”.

At first we have taken the “Opened” field with the “table” command .

Then we have converted the “Opened”  field to the epochtime by the “strptime” function and taken into the “EpochOpened” field.By the “relative_time” function we have taken the 2 days after date from the “Opened” field and taken into the “A”.Now again by the “sprftime” function we have formatted the epochtime to humanredable format and put it into the “2DaysAfter” field.At last by the “fields” command we have exclude the “A” and “EpochOpened” field from the result set.

 

You can also know about :  How to Add Custom Emoji in Splunk Dashboard

 

Now you can effectively utilize the rerlative_time function to meet your requirements !!

Hope you are now comfortable in : Usage of Functions in SPLUNK: RELATIVE_TIME

HAPPY SPLUNKING !!

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.