Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

reltime

Description

Adds a new field to your search results, called reltime, and sets this field to a human readable value of the difference between now and _time.

The human-readable values look like "5 days ago", "1 minute ago", "2 years ago", and so on.

Syntax

reltime

Usage

The reltime command is a distributable streaming command. See Command types.

The reltime command returns relative times in seconds, minutes, hours, days and years. For example, 12 seconds ago.

The reltime command changes the time unit when a threshold has been passed. If the time difference between a timestamp and "now" does not meet the next threshold the smaller time unit is used. For example, if you have a timestamp and only 23 hours and 59 seconds have passed, the relative time displays hours instead of days. When exactly 24 hours have passed, the relative time still displays hours. Only when 24 hours and 1 second have passed will the relative time display 1 day ago.

Examples

1. Show the relative time for each event

Consider the following set of timestamps:

_time
2021-06-11 14:35:58
2021-06-10 14:35:58
2021-06-08 14:35:58
2021-04-12 14:35:58
2021-04-12 14:35:59


When you add the reltime command to the end of the search, a field is added to the events. The relative time difference between the _time field and now is calculated and added to the new field.

If today is 2021-06-11 14:35:58, the results look something like this:

_time reltime
2021-06-11 14:35:58 now
2021-06-10 14:35:58 1 day ago
2021-06-08 14:35:58 3 days ago
2021-04-12 14:35:58 1 month ago
2021-04-12 14:35:59 2 months ago

The difference between 2021-06-11 and 2021-04-12 is 60 days. Notice that the reltime column says 1 month ago for the first April 12th timestamp. The relative time won't display 2 months ago until exactly 60 days and 1 second have pasted.

See also

convert

Last modified on 18 June, 2021
PREVIOUS
regex
  NEXT
rename

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters