https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552438#M156799 <P>Not the difference, but using the app-release-date (past date) using this as the most recent date and use that as the starting point for this condition</P><P>[substitute the most recent as app-release-date]</P><P>The most recent = Green</P><P>Most recent – 7 days = yellow</P><P>Most recent – 30 days = red</P><P>Most recent &nbsp;&gt; 30 days = black</P> Thu, 20 May 2021 18:12:20 GMT RonD 2021-05-20T18:12:20Z https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552397#M156787 <P>I am creating a search that detects compliance received from palo alto signatures</P><P>we are receving 4 sets of dates:</P><P>app-release-date</P><P>av-release-date</P><P>wildfire-release-date</P><P>threat-release-date</P><P>one of these dates (app-release-date) does not get updated daily, meaning&nbsp; if today's date is 5/20/2021 the last updated release for the app-release date could be 4/20/2021</P><P>Now creating a pie chart comparing today's date, it will show that the app-release-date is out of date by 30 days but that is not the case, it just means that the most recent date for app-release-date is dated 4/20/2021.</P><P>The question is how will I use the 4/20/2021 in an "eval=case" condition and using the 4/20/2021 as the most recent date instead of "now()" conditions</P><P>For your perspective this is what I've done if using the "now()" conditions as a variable:</P><P><BR />| eval av-release-date=round(strptime('av-release-date', "%Y-%m-%d %H:%M:%S")), today=now(), timediff=today-'av-release-date', chart_date=strftime('av-release-date', "%Y-%m-%d")<BR />| eval color=case(timediff&lt;=86400, "within 24 hrs", timediff&gt;86400 AND timediff&lt;=259200, "within 72 hrs", timediff&gt;259200 AND timediff&lt;=604800, "within 168 hrs", timediff&gt;604800, "over 168 hrs")<BR />| stats count by color<BR /><BR /></P><P>this returns a chart that look like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RonD_0-1621519563448.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14234i2D60A242E22AFB11/image-size/medium?v=v2&amp;px=400" role="button" title="RonD_0-1621519563448.png" alt="RonD_0-1621519563448.png" /></span></P><P>The app-release-date conditions will be:</P><P>The most recent = Green -----&gt; the most recent is not "now()" but it could be 4/20/2021</P><P>Most recent – 7 days = yellow</P><P>Most recent – 30 days = red</P><P>Most recent &nbsp;&gt; 30 days = black</P><P>Please advise, and thank you in advance.</P><P>Regards,</P><P>&nbsp;</P> Thu, 20 May 2021 14:11:46 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552397#M156787 RonD 2021-05-20T14:11:46Z https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552406#M156791 <P>What are you trying to measure, the difference between app-release-date and av-release-date or app-release-date and today or something else?</P> Thu, 20 May 2021 14:45:15 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552406#M156791 ITWhisperer 2021-05-20T14:45:15Z https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552438#M156799 <P>Not the difference, but using the app-release-date (past date) using this as the most recent date and use that as the starting point for this condition</P><P>[substitute the most recent as app-release-date]</P><P>The most recent = Green</P><P>Most recent – 7 days = yellow</P><P>Most recent – 30 days = red</P><P>Most recent &nbsp;&gt; 30 days = black</P> Thu, 20 May 2021 18:12:20 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-date-comparison/m-p/552438#M156799 RonD 2021-05-20T18:12:20Z