Shows all hosts that are sending events with timestamps greater than 5 mins (300 seconds) from the current time. | metadata type=hosts | where lastTime>now()+300 | eval mins_in_future=(lastTime-now())/60 | eval years_in_future=mins_in_future/60/24/365 | fieldformat lastTime=strftime(lastTime,”%Y-%m-%d %H:%M:%S %Z”) | table lastTime, host, mins_in_future, years_in_future | sort – mins_in_future
Timestamp vs Indextime of Events (Diagnostic Query)
This query has in the past help me track down issues between forwarders and indexers, and even on occasion finding some time sync issues. Feel free to tweak, modify, and improve upon this query as I’m not 100% certain the math will work in your favor outside of highlighting (positive or negative) time differences! index=* […]
Convert non timestamp time to Epoch
Scenario: You have a non timestamp field that you need to convert to epoch time to perform statistics on within splunk. Here’s how you do it: your search goes here |eval Epoch_Time=strptime(Field_Date, “%Y-%m-%d %H:%M:%S”)
