Time functions
earliest(X)
Description
Returns the chronologically earliest seen occurrence of a value of a field X.
Usage
- This function processes field values as strings.
- You can use the
earliest(X)
function with thechart
,mstats
,stats
,timechart
, andtstats
commands.
Basic example
This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a sshd (Secure Shell Daemon). You use the table command to see the values in the _time
, source
, and _raw
fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
_time | source | _raw |
---|---|---|
2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the earliest
function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats earliest(_raw)
The search returns the event with the _time
value 2018-04-27 00:15:01
, which is the event with the oldest timestamp.
_time | source | _raw |
---|---|---|
2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
latest(X)
Description
Returns the chronologically latest seen occurrence of a value of a field X.
Usage
- This function processes field values as strings.
- You can use the
latest(X)
function with thechart
,mstats
,stats
,timechart
, andtstats
commands.
Basic example
This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a specific sshd (Secure Shell Daemon). You use the table command to see the values in the _time
, source
, and _raw
fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
_time | source | _raw |
---|---|---|
2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the latest
function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats latest(_raw)
The search returns the event with the _time
value 2018-05-01 00:15:05
, which is the event with the most recent timestamp.
_time | source | _raw |
---|---|---|
2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
per_day(X)
Description
Returns the values of field X, or eval expression X, for each day.
Usage
- You can use the
per_day(X)
function with thetimechart
command.
Basic examples
The following example returns the values for the field total
for each day.
... | timechart per_day(total)
The following example returns the results of the eval expression eval(method="GET")) AS Views
.
... | timechart per_day(eval(method="GET")) AS Views
Extended example
This example uses the sample dataset from the Search Tutorial but should work with any format of Apache Web access log. Download the data set from this topic in the Search Tutorial and follow the instructions to upload it to your Splunk deployment. |
This search uses the per_day() function and eval expressions to determine how many times the web pages were viewed and how many times items were purchased. The results appear on the Statistics tab.
sourcetype=access_* | timechart per_day(eval(method="GET")) AS Views_day, per_day(eval(action="purchase")) AS Purchases
To determine the number of Views and Purchases for each hour, minute, or second you can add the other time functions to the search. For example:
sourcetype=access_* | timechart per_day(eval(method="GET")) AS Views_day, per_hour(eval(method="GET")) AS Views_hour, per_minute(eval(method="GET")) AS Views_minute, per_day(eval(action="purchase")) AS Purchases
Use the field format option to change the number formatting for the field values.
per_hour(X)
Description
Returns the values of field X, or eval expression X, for each hour.
Usage
- You can use the
per_hour(X)
function with thetimechart
command.
Basic examples
The following example returns the values for the field total
for each hour.
... | timechart per_hour(total)
The following example returns the the results of the eval expression eval(method="POST")) AS Views
.
... | timechart per_hour(eval(method="POST")) AS Views
per_minute(X)
Description
Returns the values of field X, or eval expression X, for each minute.
Usage
- You can use the
per_minute(X)
function with thetimechart
command.
Basic examples
The following example returns the values for the field total
for each minute.
... | timechart per_minute(total)
The following example returns the the results of the eval expression eval(method="GET")) AS Views
.
... | timechart per_minute(eval(method="GET")) AS Views
per_second(X)
Description
Returns the values of field X, or eval expression X, for each second.
Usage
- You can use the
per_second(X)
function with thetimechart
command.
Basic examples
The following example returns the values for the field kb
for each second.
... | timechart per_second(kb)
Multivalue stats and chart functions | Date and time format variables |
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10
Feedback submitted, thanks!