Last active
January 23, 2018 22:49
-
-
Save LukeMurphey/5352075 to your computer and use it in GitHub Desktop.
This Splunk macro converts a time field into a human readable string that indicates how long ago an event happened. It will convert a time field from epoch time to a string like "2 minutes ago".If the epoch time is in the future, then it will return "0 minutes ago". Tags: #splunk #macro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # timesince | |
| # ----------------------------- | |
| # makes a human readable description of the amount of time since a device was observed | |
| # | |
| [timesince(2)] | |
| args = sourceField,destField | |
| definition = eval now=time() | eval $destField$ = case( $sourceField$ > now, "0 minutes ago", now-$sourceField$ > (2*86400), round((now-$sourceField$) / (86400)) . " days ago", now-$sourceField$ > (2*3600), round((now-$sourceField$) / (3600)) . " hours ago", now-$sourceField$ > (2*60), round((now-$sourceField$) / (60)) . " minutes ago", now-$sourceField$ > 60, "1 minute ago", now-$sourceField$ <= 60, "just now" ) | fields - now | |
| iseval = 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
very nice - thanks!