SPLK-1004 Working with Time

Working with Time Detailed Explanation

1. Understanding _time

In Splunk, every event is assigned a timestamp when it is indexed. This timestamp is stored in the special field called _time.

Key facts about _time:

• It represents the event time, not necessarily the time the event was indexed.

• Stored in epoch format (number of seconds since Jan 1, 1970).

• Used for timechart, timeline, alerts, dashboards, and report scheduling.

Example:

_time = 1713452400

This corresponds to a human-readable date like 2024-04-18 12:00:00.

2. Common Time Functions

Splunk provides several built-in functions for working with time — converting, formatting, and calculating time-based values.

a) now()

Returns the current time in epoch format (number of seconds since 1970-01-01).

Example:

eval current_time = now()

Use this to compare against other epoch values.

b) relative_time(base_time, offset_string)

Calculates a relative point in time from a base.

Example:

eval last_hour_start = relative_time(now(), "-1h@h")

This means: "the start of the previous hour".

Common offset strings:

• -15m → 15 minutes ago

• -1h@h → start of the previous hour

• -1d@d → start of the previous day

• +1h@h → start of next hour

c) strftime()

Converts epoch time (like _time) to a readable string.

Syntax:

strftime(<epoch_field>, "<format>")

Example:

eval readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")

Output:

2024-04-18 15:45:00

Useful for:

• Dashboard tables

• Exported reports

• Labeling events by date/time

d) strptime()

The opposite of strftime() — converts a string into an epoch timestamp.

Example:

eval event_time = strptime("2024-04-18", "%Y-%m-%d")

Returns:

1713398400 (epoch format)

Use this to:

• Convert user input to epoch

• Compare date strings with _time or now()

3. Time Ranges

To keep your searches focused and efficient, it's important to apply explicit time constraints. This is especially critical in dashboards, alerts, and reports.

a) Explicit Time Filtering in SPL

You can define time boundaries using the earliest and latest search modifiers.

Example:

index=web_logs earliest=-24h@h latest=now()

This means:

• Search from exactly 24 hours ago (to the hour) up to the current moment.

b) Why use explicit time filtering?

• Reduces the amount of data to search

• Improves search performance

• Prevents scanning unnecessary historical data

• Ensures reproducibility of scheduled reports and alerts

c) Use in Dashboards, Reports, and Alerts

In dashboards:

• Use time pickers to let users dynamically control time range

In alerts:

• Define a precise time window (e.g., search every 15 minutes, over the last 15 minutes)

In reports:

• Use earliest/latest to ensure consistent timeframes for trend analysis

Summary Table: Key Time Functions and Use Cases

Function / Command	Purpose	Example
_time	Event timestamp field	Used in all time-based visualizations
now()	Returns current time (epoch)	eval current_time = now()
relative_time()	Time offsets based on now()	relative_time(now(), "-1d@d")
strftime()	Format epoch to string	strftime(_time, "%b %d %Y")
strptime()	Convert string to epoch	strptime("2024-04-18", "%Y-%m-%d")
earliest / latest	Explicit time filtering	earliest=-7d latest=now()

Working with Time (Additional Content)

1. Common strftime / strptime Format Tokens

When using strftime() (format epoch time to string) or strptime() (parse string into epoch), understanding format tokens is essential.

Below is a list of commonly used time format symbols:

Symbol	Meaning	Example Value
%Y	Four-digit year	2024
%y	Two-digit year	24
%m	Month (01–12)	04
%d	Day of month (01–31)	18
%H	Hour (00–23)	15
%M	Minute (00–59)	30
%S	Second (00–59)	45
%b	Abbreviated month name	Apr
%A	Full weekday name	Friday
%Z	Timezone	UTC, PDT, etc.

Example:

| eval readable_time = strftime(_time, "%Y-%m-%d %H:%M:%S")

This will output a string like 2024-04-18 15:30:45.

2. _time vs _indextime

These two system fields often confuse users, especially in data latency or delay monitoring scenarios.

Field	Description
_time	The event time, i.e., when the event actually occurred (parsed from log)
_indextime	The time the event was indexed by Splunk, i.e., when it arrived in Splunk

Use Case: Monitoring delayed events

To identify logs that took more than 10 minutes to arrive:

| eval delay = _indextime - _time
| where delay > 600

This helps detect ingestion delays, which are critical in real-time monitoring and SLA-sensitive applications.

3. Real-World Example with relative_time() and _time

When writing searches that detect burst conditions, anomalies, or lookback analysis, you often need dynamic time boundaries.

Scenario: Show events from the last 1 hour only

| where _time > relative_time(now(), "-1h")

This is functionally equivalent to earliest=-1h, but allows use inside post-filtering logic, subsearches, or as part of a larger conditional expression.

Use Case Examples:

• Identify users logging in during non-business hours:

| where strftime(_time, "%H") < "08" OR strftime(_time, "%H") > "18"

• Use strptime() to convert a date string into epoch time:

| eval baseline_start = strptime("2024-04-01", "%Y-%m-%d")
| where _time > baseline_start

Summary: Time Handling Best Practices

Practice	Why It Matters
Use proper time format tokens with strftime() / strptime()	Avoid format mismatch issues
Know when to use _time vs _indextime	Useful for monitoring delays and ingestion issues
Leverage relative_time() for dynamic time filtering	Enables flexible time-aware logic in SPL
Combine time functions with eval and where for filtering	Improves precision in trend analysis