https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495593#M138146 <P>I have a sample data as below</P> <P>Assigned Analyst Assigned Date<BR /> John 2018-03-09 00:00:00.0<BR /> 2018-03-23 00:00:00.0<BR /> 2018-03-30 00:00:00.0<BR /> 2018-04-16 00:00:00.0<BR /> 2018-04-24 00:00:00.0<BR /> 2018-04-26 00:00:00.0<BR /> 2018-05-03 00:00:00.0</P> <P>Joe 2017-03-22 00:00:00.0<BR /> 2017-03-23 00:00:00.0<BR /> 2017-05-01 00:00:00.0<BR /> 2017-05-02 00:00:00.0<BR /> 2017-05-18 00:00:00.0<BR /> 2017-05-23 00:00:00.0</P> <P>Now, I would like to find the time span for each Analyst based on the earliest and latest values of Assigned Date in Years and Days.<BR /> Assigned Date is simply the date on which the ticket was assigned. Ticket Number is the unique identifier which I didn't add in the sample data.<BR /> Thanks in advance</P> Fri, 13 Mar 2020 18:35:43 GMT khojas02 2020-03-13T18:35:43Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495593#M138146 <P>I have a sample data as below</P> <P>Assigned Analyst Assigned Date<BR /> John 2018-03-09 00:00:00.0<BR /> 2018-03-23 00:00:00.0<BR /> 2018-03-30 00:00:00.0<BR /> 2018-04-16 00:00:00.0<BR /> 2018-04-24 00:00:00.0<BR /> 2018-04-26 00:00:00.0<BR /> 2018-05-03 00:00:00.0</P> <P>Joe 2017-03-22 00:00:00.0<BR /> 2017-03-23 00:00:00.0<BR /> 2017-05-01 00:00:00.0<BR /> 2017-05-02 00:00:00.0<BR /> 2017-05-18 00:00:00.0<BR /> 2017-05-23 00:00:00.0</P> <P>Now, I would like to find the time span for each Analyst based on the earliest and latest values of Assigned Date in Years and Days.<BR /> Assigned Date is simply the date on which the ticket was assigned. Ticket Number is the unique identifier which I didn't add in the sample data.<BR /> Thanks in advance</P> Fri, 13 Mar 2020 18:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495593#M138146 khojas02 2020-03-13T18:35:43Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495594#M138147 <PRE><CODE>| makeresults | eval _raw="Assigned Analyst,Assigned Date John,2018-03-09 00:00:00.0 ,2018-03-23 00:00:00.0 ,2018-03-30 00:00:00.0 ,2018-04-16 00:00:00.0 ,2018-04-24 00:00:00.0 ,2018-04-26 00:00:00.0 ,2018-05-03 00:00:00.0 Joe,2017-03-22 00:00:00.0 ,2017-03-23 00:00:00.0 ,2017-05-01 00:00:00.0 ,2017-05-02 00:00:00.0 ,2017-05-18 00:00:00.0 ,2017-05-23 00:00:00.0" |multikv forceheader=1 | table A* | rename COMMENT as "this sample, from here, the logic" | eval assigned_time=strptime(Assigned_Date,"%F %T.%1Q") | eval assigned_year=strftime(assigned_time,"%Y") | filldown Assigned_Analyst | stats min(assigned_time) as FirstAssigned max(assigned_time) as LastAssigned range(assigned_time) as span by Assigned_Analyst assigned_year | eval FirstAssigned=strftime(FirstAssigned,"%F %T"), LastAssigned=strftime(LastAssigned,"%F %T") | eval span=tostring(span,"duration") | rex field=span mode=sed "s/(\d+)?\+?(\d\d):(\d\d):\d\d\.\d+/\1d \2h \3m/g" </CODE></PRE> Fri, 13 Mar 2020 19:56:14 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495594#M138147 to4kawa 2020-03-13T19:56:14Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495595#M138148 <P>Like this:</P> <PRE><CODE>| makeresults | eval _raw="Assigned Analyst,Assigned Date John,2018-03-09 00:00:00.0 2018-03-23 00:00:00.0 2018-03-30 00:00:00.0 2018-04-16 00:00:00.0 2018-04-24 00:00:00.0 2018-04-26 00:00:00.0 2018-05-03 00:00:00.0 Joe,2017-03-22 00:00:00.0 2017-03-23 00:00:00.0 2017-05-01 00:00:00.0 2017-05-02 00:00:00.0 2017-05-18 00:00:00.0 2017-05-23 00:00:00.0" | multikv forceheader=1 | table A* | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | rex field=Assigned_Date mode=sed "s/(-\d+)\s+/\1T/g" | makemv Assigned_Date | eval Assigned_Date = strptime(Assigned_Date, "%Y-%m-%dT%H:%M:%S.%1n") | stats range(Assigned_Date) AS duration BY Assigned_Analyst | fieldformat duration = tostring(duration, "duration") </CODE></PRE> Fri, 13 Mar 2020 21:12:08 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495595#M138148 woodcock 2020-03-13T21:12:08Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495596#M138149 <P>This worked for me, thanks!!</P> <P>How can we show the the days in years?</P> Fri, 13 Mar 2020 23:52:15 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495596#M138149 khojas02 2020-03-13T23:52:15Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495597#M138150 <P>See my answer. It does this and is more efficient, too.</P> Sat, 14 Mar 2020 00:12:35 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495597#M138150 woodcock 2020-03-14T00:12:35Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495598#M138151 <P><EM>assigned_year</EM> displays already. </P> <P><CODE>the days in years?</CODE> what's this? </P> <PRE><CODE>.... |rex field=span "(?&lt;days&gt;\d+)" | eventstats sum(days) by Assigned_Analyst </CODE></PRE> <P>this?</P> Sat, 14 Mar 2020 02:17:12 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495598#M138151 to4kawa 2020-03-14T02:17:12Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495599#M138152 <P>Hi, </P> <P>For some reason, this solution is not producing any output for me.</P> <P>I just added required index and source on top of it. </P> Mon, 16 Mar 2020 18:30:00 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495599#M138152 khojas02 2020-03-16T18:30:00Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495600#M138153 <P>Your search has created the output shown below. Now, if I want to add the column that shows the span in number of years.</P> <P>AssignedAnalyst FirstAssigned LastAssigned span<BR /> B_Davis 2018-03-09 00:00:00 2020-02-28 00:00:00 721d 00h 00m<BR /> C_Ramos 2017-03-22 00:00:00 2019-06-24 00:00:00 824d 00h 00m<BR /> L_Allen 2018-09-19 00:00:00 2019-01-14 00:00:00 17d 01h 00m</P> <P>Is is possible to do that? Thanks!!</P> Wed, 30 Sep 2020 04:34:44 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495600#M138153 khojas02 2020-09-30T04:34:44Z https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495601#M138154 <PRE><CODE> .... | rex field=span "(?&lt;days&gt;\d+)" | eval years=floor(days/365)."years ".(days % 365)."days" </CODE></PRE> <P>If you want only years, amend this.</P> Tue, 17 Mar 2020 09:41:39 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-2-dates-based-on-another-field-in-years-and/m-p/495601#M138154 to4kawa 2020-03-17T09:41:39Z