Adds a new field to your search results, called
reltime, and sets this field to a human readable value of the difference between
The human-readable values look like "5 days ago", "1 minute ago", "2 years ago", and so on.
reltime command is a distributable streaming command. See Command types.
reltime command returns relative times in seconds, minutes, hours, days and years. For example,
12 seconds ago.
reltime command changes the time unit when a threshold has been passed. If the time difference between a timestamp and "now" does not meet the next threshold the smaller time unit is used. For example, if you have a timestamp and only 23 hours and 59 seconds have passed, the relative time displays hours instead of days. When exactly 24 hours have passed, the relative time still displays hours. Only when 24 hours and 1 second have passed will the relative time display
1 day ago.
1. Show the relative time for each event
Consider the following set of timestamps:
When you add the
reltime command to the end of the search, a field is added to the events. The relative time difference between the
_time field and
now is calculated and added to the new field.
If today is 2021-06-11 14:35:58, the results look something like this:
|2021-06-10 14:35:58||1 day ago|
|2021-06-08 14:35:58||3 days ago|
|2021-04-12 14:35:58||1 month ago|
|2021-04-12 14:35:59||2 months ago|
The difference between
2021-04-12 is 60 days. Notice that the
reltime column says
1 month ago for the first April 12th timestamp. The relative time won't display
2 months ago until exactly 60 days and 1 second have pasted.
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2011, 8.1.2009, 8.1.2012, 8.1.2101, 8.1.2103