topic Re: Need to eval date range instead of relative time from custom time field. in Splunk Search

Need to eval date range instead of relative time from custom time field.

matt4321 — Tue, 29 Sep 2020 15:53:04 GMT

I am currently using this method to use date from custom field for relative time frames which only gives me 3 months.

| eval NewTime=strptime(ProjCreatedDate,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime
| where _time>=relative_time(now(),"-3mon") AND _time

I need to get instead of relative time Last 3 months I need a time range.. From 1/1/2017 to 5/21/2017.

Re: Need to eval date range instead of relative time from custom time field.

gcusello — Tue, 19 Sep 2017 15:33:15 GMT

Hi matt4321,
try something like this:

your_search
| eval NewTime=strptime(ProjCreatedDate,"%Y-%m-%d %H:%M:%S")
| where NewTime>=relative_time(now(),"-3mon")

I didn't understood the second condition "AND _time"

Bye.
giuseppe

Re: Need to eval date range instead of relative time from custom time field.

somesoni2 — Tue, 19 Sep 2017 15:35:48 GMT

Can you explain your requirement more, possibly with an example of what you currently get and what you expect?

Re: Need to eval date range instead of relative time from custom time field.

matt4321 — Tue, 19 Sep 2017 15:42:11 GMT

Yes sorry for some reason this posted with my bottom question not in there. I need to get instead of relative time Last 3 months I need a time range.. From 1/1/2017 to 5/21/2017.

Re: Need to eval date range instead of relative time from custom time field.

matt4321 — Tue, 19 Sep 2017 20:24:13 GMT

Awesome I was wondering about that as well.. I will remove it and see how it goes.

Do you know about the updated comment?
"I need to get instead of relative time Last 3 months I need a time range.. From 1/1/2017 to 5/21/2017."

Any help would be appreciated.

Re: Need to eval date range instead of relative time from custom time field.

somesoni2 — Tue, 19 Sep 2017 21:40:04 GMT

If you're trying to compare against the specific/static dates, do like this

your base search | eval _time=strptime(ProjCreatedDate,"%Y-%m-%d %H:%M:%S")
| where _time>=strptime("1/1/2017","%m/%d/%Y") AND _time<=strptime("5/21/2017","%m/%d/%Y")

Re: Need to eval date range instead of relative time from custom time field.

gcusello — Wed, 20 Sep 2017 09:20:33 GMT

as suggested by @somesoni2 modify the where condition with

| where _time>=strptime("1/1/2017","%m/%d/%Y") AND _time<=strptime("5/21/2017","%m/%d/%Y")

Bye.
Giuseppe

Re: Need to eval date range instead of relative time from custom time field.

gcusello — Wed, 20 Sep 2017 11:10:03 GMT

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

Re: Need to eval date range instead of relative time from custom time field.

matt4321 — Wed, 20 Sep 2017 13:52:27 GMT

This worked perfect Thank you very much!! Trying to change this to the answer now.