Databases Reference
In-Depth Information
This gives us the following table:
Good references for
strptime
formats can be found on modern
Linux systems by running
man strptime
or
man date
, or by
searching
google.com
. Splunk has several special extensions
to
strptime
that can be found by searching for
Enhanced
strptime() support
at
http://docs.splunk.com/
.
Now that we have our epoch value for
now
, we can build and test our query like this:
earliest=-1m latest=+5m now=1337217839 ip=1.22.3.3
This gives us a normal event listing, from one minute before our event to
five minutes after our selected event, only showing events that have the field
ip
in common.
Now that we have our search, and our
eval
statement for converting the value
of
now
, we can actually build our macro in
Manager
|
Advanced search
|
Search
macros
|
Add new
.
Search WWH ::
Custom Search