Splunk has power commands for analyzing events over time or with a window of time using timestamps of the event. One of the most interesting and powerful commands is the relative_time function. The relative_time function provides a way to examine events across a spectrum of time from as far back as the data allows to the present. Have you ever needed to examine events that occurred between the hours of 2:30 AM to 3:30 AM relative to the current time, say 12:00 PM? In this article, we will explore how to do this using Splunk’s relative_time function.
What is the Splunk Relative Time Function?
Relative time can be defined as the measurement of time as related to a start time. For example, the relative time 2 hours from a start time of 2:00 PM would be 12:00 PM. Splunk’s relative_time function takes in a value of start time and duration and returns a relative time value of time in epoch. An epoch is a numeric value representing time in seconds. You can convert between epoch and human readable time using other Splunk time functions such as strftime and strptime.
Benefits of using the Splunk Relative Time Function
Benefit#1:
Analyze events over a range of time. You use the relative time function to get the start and stop time values of your range of events, then use other search commands to traverse through that range and perform your analysis.
Benefit#2:
Cuts down on the number of Splunk commands required to determine a relative time value. Without using the relative_time command you would need multiple commands using several eval statements to calculate an epoch value for the second, minute, hour, and day (or depending on how far to look back). With the relative_time the same is achieved with one command.
How to use the Splunk Relative Time Function
To find the relative time between now and 3 hours ago you would execute these SPL statements:
| makeresults
| eval epoch_three_hours_ago=relative_time(now(),”-3h”)
| eval human_three_hours_ago = strftime(epoch_three_hours_ago, “%c”)
To filter events by timestamp between a window of time between 6 and 22 hours ago you would execute this SPL statement:
… | where _time < relative_time(now(), “-6h@h”) AND _time > relative_time(now(), “-22h@h”)
Conclusion
The Splunk relative_time function provides faster and more efficient analysis of your data by streamlining your searches and limiting the number of events to query using the timestamp of events. It is an important capability for developing effective and powerful Splunk content.
If you found this helpful…
Explore our related blog on strftime.
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
