By Splunk April 12, 2013
I’ve always liked fuzzy clocks that tell you “ten to six” instead of “17:52:32”. So here’s a Splunk macro to give you a field for that value.
fuzzytime
eval epochtime=_time | eval timediff=now()-epochtime | eval hourago=now()-relative_time(now(),"@h") | eval hourago2=now()-relative_time(now(),"-1h@h") | eval dayago=now()-relative_time(now(),"@d") | eval dayago2=now()-relative_time(now(),"-1d@d") | eval weekago=now()-relative_time(now(),"@w") | eval weekago2=now()-relative_time(now(),"-1w@w") | eval monthago=now()-relative_time(now(),"@m") | eval monthago2=now()-relative_time(now(),"-1m@m") | eval quarterago=now()-relative_time(now(),"@q") | eval quarterago2=now()-relative_time(now(),"-1q@q") | eval yearago=now()-relative_time(now(),"@y") | eval yearago2=now()-relative_time(now(),"-1y@y") | eval fuzzytime=case(timediff<=hourago, "within the hour", timediff>hourago AND timediff<=hourago2, "an hour ago", timediff>hourago2 AND timediff<=dayago, "earlier today", timediff>dayago AND timediff<=dayago2, "yesterday", timediff>dayago2 AND timediff<=weekago, "earlier this week", timediff>weekago AND timediff<=weekago2, "last week", timediff>weekago2 AND timediff<=monthago, "earlier this month", timediff>monthago AND timediff<=monthago2, "last month", timediff>monthago2 AND timediff<=quarterago, "earlier this quarter", timediff>quarterago AND timediff<=quarterago2, "last quarter", timediff>quarterago2 AND timediff<=yearago, "earlier this year", timediff>yearago AND timediff<=yearago2, "last year", timediff>yearago2, "over two years ago")
Of course, that means you can search more easily too.
* | `fuzzytime` | search fuzzytime="earlier this week" | timechart count
This is using Splunk’s relative_time and bucketing capability instead of simply counting off time units, so it should behave fairly intuitively. Let me know if it works for you or could be done better!
----------------------------------------------------
Thanks!
Jack Coates