topic Re: Splunk Date/Time comparison using _time generated through timechart for a Span of 1 Month in Splunk Search

Splunk Date/Time comparison using _time generated through timechart for a Span of 1 Month

promukh — Tue, 06 Oct 2020 02:16:47 GMT

Hello Experts,

I am having a search as below

Output from the search is as below

_time	Used	Total	Projected	lower95
2019-09	1	1	<some numbers>	<some numbers>
2020-03	2	3	<some numbers>	<some numbers>
2020-04	4	7	<some numbers>	<some numbers>
2020-05	4	11	<some numbers>	<some numbers>
2020-09	5	16	<some numbers>	<some numbers>
2020-10			<some numbers>	<some numbers>
2020-11			<some numbers>	<some numbers>
2020-12			<some numbers>	<some numbers>
2021-01			<some numbers>	<some numbers>

How can i compare the "_time" field with current "month-year" and display only those rows greater than the current Year-Month.

| search _time>strftime(now(),"%Y-%m-%d")

Any hep will be appreciated ..Thanks

Re: Splunk Date/Time comparison using _time generated through timechart for a Span of 1 Month

thambisetty — Tue, 06 Oct 2020 06:22:01 GMT

comparison of two times without convert them to epoch is difficult. converting just year and month to epoch time doesn't happen. I have added 01 as day for each months and compared. add below line to your SPL.

| where (strptime(strftime(_time,"%Y-%m-01"),"%Y-%m-%d"))> (strptime(strftime(now(),"%Y-%m-01"),"%Y-%m-%d"))

Re: Splunk Date/Time comparison using _time generated through timechart for a Span of 1 Month

promukh — Wed, 07 Oct 2020 01:35:05 GMT

perfect thanks for the explanation ..appreciate it !!