![]() The timestamps must include a day.įor example, if the string is 17:19:01, the format must be %Y-%m-%d%H:%M:%S. The strptime function doesn't work with timestamps that consist of only a month and year. You use date and time variables to specify the format that matches string. Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format you specify. The following search uses the pow function to convert from nanoseconds to seconds: To convert from nanoseconds to seconds, divide the number by 10^9.To convert from microseconds to seconds, divide the number by 10^6.To convert from milliseconds to seconds, divide the number by 1000 or 10^3.You can use the pow function to convert the number. If the time is in milliseconds, microseconds, or nanoseconds you must convert the time into seconds. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. Use the first 10 digits of a UNIX time to use the time in seconds. This function takes a UNIX time value and renders the time as a string using the format specified. | where _time>relative_time(now(), AND _time,) | eval n=relative_time(now(), following example specifies an earliest time of 2 hours ago snapped to the hour and a latest time of 1 hour ago snapped to the hour: This function takes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. earliest=-30d | eval eventHour=strftime(_time,"%H") | eval eventMin=strftime(_time,"%M") | eval curHour=strftime(now(),"%H") | eval curMin=strftime(now(),"%M") | where (eventHour=curHour and eventMin > curMin - 30) or (curMin curMin+30) | bin _time span=1d | timechart count() by _time relative_time(,) The event timestamp, in the _time field, is used to calculate the event hour (eventHour) and event minute (eventMin). You use the now() function to calculate the current hour (curHour) and current minute (curMin). If you are looking for events that occurred within the last 30 minutes you need to calculate the event hour, event minute, the current hour, and the current minute. | eval n=relative_time(now(), Extended example The following example determines the UNIX time value of the start of yesterday, based on the value of now(). If you want to return the UNIX time when each result is returned, use the time() function instead. When used in a search, this function returns the UNIX time when the search is run.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |