Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is a better way of comparing EPOCH times?

Kendo213
Communicator
‎05-15-2018 08:16 AM

I have the query below that checks for the expiration date of a certificate, converts it to epoch time, and then basically changes the value of the result as it 'degrades' (gets closer to expiration). I have a feeling this is really messy and could be improved on, so I'm just looking for general recommendations on a better way of doing it. It works, but to me it looks excessive.

index=test host=mycertificateauthority| rex field=Line "(?\d{1,2}\/\d{1,2}\/\d{4})" | stats count by _time,host,date | eval dateepoch=strptime(date,"%m/%d/%Y") | eval thirtydays=(relative_time(dateepoch,"-30d"))  | eval fifteendays=(relative_time(dateepoch,"-15d")) | eval fivedays=(relative_time(dateepoch,"-5d")) | eval result=case((now()<=thirtydays),"0",(now()>=thirtydays) AND (now()<=fifteendays) AND (now()<=fivedays) AND (now()<=dateepoch),"1",(now()>=thirtydays) AND (now()>=fifteendays) AND (now()<=fivedays) AND (now()<=dateepoch),"2",(now()>=thirtydays) AND (now()>=fifteendays) AND (now()>=fivedays) AND (now()<=dateepoch),"3",(now()>=thirtydays) AND (now()>=fifteendays) AND (now()>=fivedays) AND (now()>=dateepoch),"4")
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2018 08:24 AM

Try like this

index=test host=mycertificateauthority| rex field=Line "(?<date>\d{1,2}\/\d{1,2}\/\d{4})" | stats count by _time,host,date | eval dateepoch=strptime(date,"%m/%d/%Y") | eval thirtydays=(relative_time(dateepoch,"-30d")) | eval fifteendays=(relative_time(dateepoch,"-15d")) | eval fivedays=(relative_time(dateepoch,"-5d")) 
| eval result=case((now()<=thirtydays),"0",
(now()>=thirtydays) AND (now()<=fifteendays) ,"1",
(now()>=fifteendays) AND (now()<=fivedays) ,"2",
(now()>=fivedays) AND (now()<=dateepoch),"3",
(now()>=dateepoch),"4")

since you're using case, you don't have to repeat already checked expressions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-15-2018 08:24 AM

Try like this

index=test host=mycertificateauthority| rex field=Line "(?<date>\d{1,2}\/\d{1,2}\/\d{4})" | stats count by _time,host,date | eval dateepoch=strptime(date,"%m/%d/%Y") | eval thirtydays=(relative_time(dateepoch,"-30d")) | eval fifteendays=(relative_time(dateepoch,"-15d")) | eval fivedays=(relative_time(dateepoch,"-5d")) 
| eval result=case((now()<=thirtydays),"0",
(now()>=thirtydays) AND (now()<=fifteendays) ,"1",
(now()>=fifteendays) AND (now()<=fivedays) ,"2",
(now()>=fivedays) AND (now()<=dateepoch),"3",
(now()>=dateepoch),"4")

since you're using case, you don't have to repeat already checked expressions.

0 Karma
Reply
Solved! Jump to solution

Kendo213
Communicator
‎05-15-2018 08:36 AM

Great, thank you. I was thinking I was missing something, this helps.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-15-2018 08:19 AM

How fast does it run? You could package this up in a macro so its more user friendly.

If its fast and works correctly, then there isn't much need to clean it up

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...