For example, if it is currently 11:59 PM on Friday and you use to "snap-to Saturday", the resulting time is the previous Saturday at 12:00 AM. If you do not specify a time offset before the snap-to amount, the time used is the current time snapped to the specified amount. For example, if the current time is 11:59:00 and you "snap to" hours, you will snap-to 11:00 not 12:00. When snapping to the nearest or latest time, time always snaps backwards in time or rounds down to the latest time that is not after the specified time.
or for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1).For other days of the week use w1 (Monday), w2, w3, w4, w5 and w6 (Saturday). For example, snaps to the beginning of today which is 12:00 AM, or midnight. You separate the time amount from the "snap-to" time unit with an character. When you snap-to time unit, the time that you specify rounds down to the nearest or latest time value. An 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', and so forth. If you specify a without a time unit, the number one is implied. The supported time units are listed in the following table.įor example, to start your search an hour ago, use either of the following time modifiers.
SPLUNK STRFTIME PLUS
Indicate the time offset from the current time.īegin your string with a plus (+) or minus (-) to indicate the offset from the current time.įor example to specify a time in the past, a time before the current time, use minus (-).ĭefine your time amount with a number and a unit.The syntax for using time modifiers is steps to specify a relative time modifier are: You can snap-to the beginning of any time unit, such as the beginning of the current hour, day, week, or month. If you run the search at 3:45, the search looks for events with a timestamp that start at 2:00, which is the time of the search minus 1 hour and then round down to the beginning of the hour. If you add a snap-to time unit of hours to the previous example, the search rounds the time down to the hour. You add a snap-to time using the symbol followed by a time unit. If you run the search at 3:45, the search looks for events with a timestamp of 2:45 or later. In addition, you can specify a "snap-to" time which takes the relative time and rounds down to the start of the time unit.įor example, if you specify the previous 1 hour -1h for the relative time, the search time is exactly 1 hour from the time you run the search. You define relative time in your search by using time modifiers along with a time amount integer and unit. Relative time is time that is based on the current time, such as last 5 minutes and last hour.
0 kommentar(er)
