Related Answers
Download topic as PDF
gentimes
Description
The gentimes command is useful in conjunction with the map command.
Generates timestamp results starting with the exact time specified as start time. Each result describes an adjacent, non-overlapping time range as indicated by the increment value. This terminates when enough results are generated to pass the endtime value.
This command does not work for future dates.
Syntax
| gentimes start=<timestamp> [end=<timestamp>] [increment=<increment>]
Required arguments
- start
- Syntax: start=<timestamp>
- Description: Specify as start time.
- <timestamp>
- Syntax: MM/DD/YYYY[:HH:MM:SS] | <int>
- Description: Indicate the timeframe, for example: 10/1/2017 for October 1, 2017, 4/1/2017:12:34:56 for April 1, 2017 at 12:34:56, or -5 for five days ago.
Optional arguments
- end
- Syntax: end=<timestamp>
- Description: Specify an end time.
- Default: midnight, prior to the current time in local time
- increment
- Syntax: increment=<int>(s | m | h | d)
- Description: Specify a time period to increment from the start time to the end time. Supported increments are seconds, minutes, hours, and days.
- Default: 1d
Usage
The gentimes command is anevent-generating command. See Command types.
Generating commands use a leading pipe character and should be the first command in a search.
The gentimes command returns four fields.
| Field | Description |
|---|---|
| starttime | The starting time range in UNIX time. |
| starthuman | The human readable time range in the format DDD MMM DD HH:MM:SS YYYY. For example Sun Apr 1 00:00:00 2018. |
| endtime | The ending time range in UNIX time. |
| endhuman | The human readable time range in the format DDD MMM DD HH:MM:SS YYYY. For example Fri Apr 13 23:59:59 2018. |
Examples
1. Generate daily time ranges by specifying dates
Generates daily time ranges from April 1 to April 5 in 2018. This search generates four intervals covering one day periods aligning with the calendar days April 1, 2, 3, and 4, during 2018.
| gentimes start=4/1/18 end=4/5/18
The results appear on the Statistics tab and look something like this:
| starttime | starthuman | endtime | endhuman |
|---|---|---|---|
| 1522566000 | Sun Apr 1 00:00:00 2018 | 1522652399 | Sun Apr 1 23:59:59 2018 |
| 1522652400 | Mon Apr 2 00:00:00 2018 | 1522738799 | Mon Apr 2 23:59:59 2018 |
| 1522738800 | Tue Apr 3 00:00:00 2018 | 1522825199 | Tue Apr 3 23:59:59 2018 |
| 1522825200 | Wed Apr 4 00:00:00 2018 | 1522911599 | Wed Apr 4 23:59:59 2018 |
2. Generate daily time ranges by specifying relative times
Generate daily time ranges from 30 days ago until 27 days ago.
| gentimes start=-30 end=-27
3. Generate hourly time ranges
Generate hourly time ranges from December 1 to December 5 in 2017.
| gentimes start=12/1/17 end=12/5/17 increment=1h
4. Generate time ranges by only specifying a start date
Generate daily time ranges from September 25 to today.
| gentimes start=9/25/17
5. Generate weekly time ranges
Although the week increment is not supported, you can generate a weekly increment by specifying increment=7d.
This examples generates weekly time ranges from December 1, 2017 to April 30, 2018.
| gentimes start=12/1/17 end=4/30/18 increment=7d
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the gentimes command.
|
PREVIOUS gauge |
NEXT geom |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.5, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1
Comments
On some (all?) versions of Splunk, "increment=1w" does not work (does the same thing as "increment=1d") and that should be fixed. When that is fixed, "increment=7d" should also be fixed so that the difference between "increment=7d" and "increment=1w" should be that the former's events have "endtime" values 1 day later than "starttime" and the latter should have "endtime" values 1 week later than "startttime"; otherwise they should be the same. It seems to me that the right thing to do is always use the "s/m/h/d/w" value to determine what the span from "starttime" to "endtime" should be in every case.
Woodcock - As stated in the increments, only seconds, minutes, hours, and days are supported. Weeks have never been supported. However to get weeks, you can use "increment=7d".