Dealing with Time

-

Dealing with Time:
  • Its extremely important to have a proper timestamp.
  • It helps to have all the events organized.
  • _time is a default field and is present in all the events.
  • In cases where an event doesn't contain a timestamp, Splunk automatically assign a timestamp value to the event when the event was indexed.
  • Refrain from using "All Time", reason being it will really be a very heavy task for Splunk to have all the data in place and then to apply your SPL over it.
Time conversion and its usage:
  • There is a function called now(), which takes no arguments and returns the time when the search was started.
  • Another add-on in Splunk is, we have an ability to convert and use time based on our requirements.
  • For doing so we can use eval function followed by few functions:
    • strftime(X, Y)
      • This will convert an epoch timestamp (X) into a string format described by Y (Example: To showcase time based on our requirements).
    • strptime(X, Y)
      • This will convert a string X, e.g. "2019-04-09 11:00:00", into epoch, with the string format described by Y (Example: To calculate the difference between two timestamps).
Important variables:
  • %c: Displays day, date and time defined by operating system.
  • %+: Displays day, date, time along with the timezone as defined by operating system.
  • %H: Displays hours based on 24 hours clock (00-23).
  • %M: Displays minutes (00-59).
  • %S: Displays seconds (00-59).
  • %I: Displays hours based on 12 hours clock (01-12).
  • %k: Similar to %H but leading 0's are replaced by blank spaces.
  • %N: Number of subsecond digits, %3N for milliseconds %6N for microseconds %9N for nanoseconds.
  • %s: Gives you unix timestamps in seconds.

  • %T: Includes hours, minutes, seconds and gives time based on 24 hours clock.
  • %Z: Gives the timezone as well.
  • %z: Gives the timezone offset from UTC.
  • %F: Gives the date in YYYY-MM-DD format.
  • %x: Gives the date in MM/DD/YY format.
  • %A: Name of the day (Full).
  • %a: Name of the day (Abbreviated form).
  • %d/%e: Day of the month.
  • %j: Day of the year.
  • %V: Week of the year.
  • %b: Abbreviated name of the month.
  • %B: Full name of the month.
  • %m: Month as a decimal number.

  • %y: Year as a decimal number in YY format.
  • %Y: Year as a decimal number in YYYY format.


Comments

Post a Comment

Popular posts from this blog

#3 Splunk sub(Commands) [eval, round, trim, stats, ceil, exact, floor, tostring]

-
Image
ROUND: Eval with round takes one or two numeric arguments, returning 'first value' rounded to the amount of decimal places specified in 'second value'.  By default it will remove all the decimals. Example: index=idx_messages sourcetype=linux_logs | eval new_rt= trim ( replace (response_time, "ms.", "")) | stats avg (new_rt) as Average | eval Average= round (Average) Remove all the decimal values. Example: | eval Average= round (Average,3) Rounded the value up-to 3 decimal places. Example: | eval Average= ceil (Average) Round the value up-to the next highest integer. Example: | eval Average= exact (Average) Give the output with maximum possible number of decimal values. Example: | eval Average= floor (Average) Round the value down to the nearest whole integer. Apart from this, there are other functions as well which are used by eval command, for instance pi (), sqrt () etc. TOSTRING: Hel...
Read more

#6 Splunk sub(Commands) [fields, rename, replace, table, transaction]

-
FIELDS:  This command helps to keep or remove specified fields from the search results, below command will keep just three fields in your search result. Example: | fields request, rc, pt RENAME:  This command helps to rename field(s), below command will rename a field named as service to serviceType and RC as responseCode Example: | rename service AS serviceType, RC AS responseCode REPLACE:  This command helps to replace the values of fields with another value, below command will replace the values "fetchReport" and "viewReport" as "Report" in "serviceType' field. Example: | replace fetchReport with Report, viewReport with Report in serviceType TABLE: This command helps to format the results into tabular output. Example: | table request, rc, pt TRANSACTION:  This command helps to merge events into a single event based upon a common identifier, below command will create events based on two events i.e. it will fetch the txn-id w...
Read more

#1 Splunk sub(Commands) [top, rare, fields, table, rename, sort]

-
Image
TOP: Will show you top results with respect to your field. Example: index=_internal | top limit=5 component RARE: Will help you to find out least common values of a field, i.e. it is similar to TOP but works in opposite direction. Example: index=_internal | rare limit=5 component FIELDS: Will help you to limit your columns, lets say you want to remove count from above table, fields can help you to achieve that. Though there are other usage of fields as well but you will learn slowly and gradually when you start building some complex queries. Example: index=_internal | top limit=5 component | fields component, percent TABLE: Same thing can be achieved via table as well. Example: index=_internal | top limit=5 component | table component, percent RENAME: Lets say you want to rename a column, for that you can use rename command. Example: index=_internal | top limit=5 component | rename percen...
Read more