Splunk Understanding Difference with epoch time and adding min

Question

I have been able to read the blogs and understand somewhat how the calculations are taking place, but need further clarity.

Case: Ingestion_Time_Logged will output the CreationTime event on the 7th min or the 37th min regardless of what time the actual CreationTime event occurred. Example:

If CreationTime Event occured at "2021-03-06 07:38:59.000" Then the Ingestion_Time_Logged will be the closest 7th min or 37th min. In this case the Ingestion_Time_Logged will be "2021-03-06 08:07:59.000". The code works fine. I am just trying to understand how it is calculating it.

What I understand so far:

% is the modulo operator which is a way to determine the remainder of a division operation. Instead of returning the result of the division, the modulo operation returns the whole number remainder.

latestComposed_min%30 will divide the minutes by 30 and result in the reminder. I used it to find if the minute is between 0 - 7 or 30 - 37. It is the same as below but much easier and efficient.

if(latestComposed_min < 7 OR (latestComposed_min>30 AND latestComposed_min < 37))

Excluded 37 and 7 to keep them as they are since they are already ok, if we do not exclude them, they will be added 37 minutes. Since both are NOT comparisons AND should be used between them otherwise with OR the result will be always true (which is wrong)

The piece I am struggling with:

| eval Ingestion_Time_Logged=strftime(case(latestCreated_min%30 < 7, CreationTime_epoch-CreationTime_epoch%1800+420+latestCreated_sec, latestCreated_min!=37 AND latestCreated_min!=7, CreationTime_epoch-CreationTime_epoch%1800+2220+latestCreated_sec,1=1,CreationTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")

Full Code:

| makeresults

| eval CreationTime="2021-03-06 07:38:59.000"

| eval CreationTime_epoch=strptime(CreationTime, "%Y-%m-%d %H:%M:%S.%6N")

| eval latestCreated_hour=tonumber(strftime(CreationTime_epoch, "%H"))

| eval latestCreated_min=tonumber(strftime(CreationTime_epoch, "%M"))

| eval latestCreated_sec=round(CreationTime_epoch%60,6)

| eval Ingestion_Time_Logged=strftime(case(latestCreated_min%30 < 7, CreationTime_epoch-CreationTime_epoch%1800+420+latestCreated_sec, latestCreated_min!=37 AND latestCreated_min!=7, CreationTime_epoch-CreationTime_epoch%1800+2220+latestCreated_sec,1=1,CreationTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")

| table Ingestion_Time_Logged, CreationTime, CreationTime_epoch, latestCreated_hour, latestCreated_min

Answer 1

Let's break it down

Here, we're setting the value of the Ingestion_Time_logged field to the result of the strftime function. That is, we're converting a epoch time into a string.

| eval Ingestion_Time_Logged=strftime(

The epoch to convert is determined by a case statement.

case(

If the created minute (38 in the example) is 0-6 or 30-36

latestCreated_min%30 < 7, 

then round down. The %1800 is the same as %30 above, only in seconds rather than minutes. Subtracting that from the epoch time shifts the epoch time to the top or bottom of the hour. The 420 adds in 7 minutes then we add in seconds.

CreationTime_epoch-CreationTime_epoch%1800+420+latestCreated_sec, 

If the created minute is neither 7 nor 37 (our case)

latestCreated_min!=37 AND latestCreated_min!=7, 

then we do the same as above, except using 37 minutes, advancing the time to the next :07 or :37.

CreationTime_epoch-CreationTime_epoch%1800+2220+latestCreated_sec,

This is the default (catch-all) case, which takes the CreationTime_epoch field as-is.

1=1,CreationTime_epoch),

This is how the timestamp string will be formatted.

"%Y-%m-%d %H:%M:%S.%6N")