https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47456#M11320 <P>If <CODE>Start_Date</CODE> is an extracted field you can just add it to the search in a key=value format, e.g;</P> <PRE><CODE>host=blah sourcetype=bleh Start_Date=08/26/2013* </CODE></PRE> <P>If it is <EM>not</EM> an extracted field, and you do not wish it to be, you can extract within the search first;</P> <PRE><CODE>host=blah sourcetype=bleh | rex "Start_Date:\s(?&lt;Start_Date&gt;\S+)" | search Start_Date=06/26/2013* </CODE></PRE> <P>Your use of <CODE>strftime/strptime</CODE> is not correct. Those two are functions of <CODE>eval</CODE>.</P> <P>Hope this helps,</P> <P>K</P> Tue, 27 Aug 2013 11:42:46 GMT kristian_kolb 2013-08-27T11:42:46Z https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47454#M11318 <P>I need to be able to search for log entries with a specific start date, which has nothing to do with <CODE>_time</CODE>. The format is, for example, <CODE>Start_Date: 08/26/2013 4:30 PM</CODE>.</P> <P>I need to add a condition in my search to specify the date, but not the time. I tried <CODE>strptime</CODE> and <CODE>strftime</CODE> unsuccessfully.</P> <P>For example, I tried converting start date to a string (without time) and compare it to another string:</P> <PRE><CODE>"08/26/2013"=strftime(Start_Date, "%d/%m/%Y") </CODE></PRE> <P>This didn't work either:</P> <PRE><CODE> "08/26/2013"=strftime(strptime(Start_Date "%d/%m/%Y %I:%M %p"), "%d/%m/%Y") </CODE></PRE> <P>Any ideas how to solve this?</P> Tue, 27 Aug 2013 11:22:27 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47454#M11318 mcamilleri 2013-08-27T11:22:27Z https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47455#M11319 <P>Use <BR /> search sourcetype="comparison" | eval existing_date=functions()<BR /> instead of comparing between 2 different dates of your search solve<BR /> evaluation function instead of equal sign, 2 different dates can not be equal try to use your existing dates to be compatible with your start_date format</P> <P>Hope this will help.</P> Mon, 28 Sep 2020 14:39:40 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47455#M11319 royimad 2020-09-28T14:39:40Z https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47456#M11320 <P>If <CODE>Start_Date</CODE> is an extracted field you can just add it to the search in a key=value format, e.g;</P> <PRE><CODE>host=blah sourcetype=bleh Start_Date=08/26/2013* </CODE></PRE> <P>If it is <EM>not</EM> an extracted field, and you do not wish it to be, you can extract within the search first;</P> <PRE><CODE>host=blah sourcetype=bleh | rex "Start_Date:\s(?&lt;Start_Date&gt;\S+)" | search Start_Date=06/26/2013* </CODE></PRE> <P>Your use of <CODE>strftime/strptime</CODE> is not correct. Those two are functions of <CODE>eval</CODE>.</P> <P>Hope this helps,</P> <P>K</P> Tue, 27 Aug 2013 11:42:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47456#M11320 kristian_kolb 2013-08-27T11:42:46Z https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47457#M11321 <P>If you want to use comparison operators instead of just making sure the string is equal to "08/26/2013 4:30 PM" (e.g. "return all events that have a start date <EM>after</EM> 09/24/2012"), you will need to convert the time into epoch seconds.</P> <PRE><CODE>&lt;base search&gt; | eval start-epoch=strptime(Start_Date, "%m/%d/%Y %I:%M %p") </CODE></PRE> <P>This will give you a new field <STRONG>start-epoch</STRONG> that may be used for comparison purposes.</P> <P>NOTE: This assumes you have a field called <STRONG>Start_Date</STRONG>. If you do not, you will need to extract the date similarly to how kristian.kolb did in the other answer provided.</P> <P>Hope this helps! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>References:</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables">http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Commontimeformatvariables</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/CommonEvalFunctions</A></LI> <LI><A href="http://answers.splunk.com/answers/37272/compare-two-date">http://answers.splunk.com/answers/37272/compare-two-date</A></LI> </UL> Tue, 27 Aug 2013 12:17:22 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47457#M11321 rturk 2013-08-27T12:17:22Z https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47458#M11322 <P>Thanks! <CODE>Start_Date=08/26/2013*</CODE> works perfectly.</P> Tue, 27 Aug 2013 12:59:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-date-comparison/m-p/47458#M11322 mcamilleri 2013-08-27T12:59:54Z