topic Re: Compare a date field with current date in Splunk Search

Compare a date field with current date

rbw78 — Wed, 19 Sep 2012 12:55:59 GMT

Hello,

I have some events into splunk which I would like to compare with today's date less than 30 days.
I want to exctract all the events which are older than 30 days like this.

The date field in the events has this form : Date="2012-09-24" which is %Y-%m-%d

How could I get the current splunk date in my search and make a compare with the date field ?
I suppose the use of epoch values as proposed here could be a solution once the current date obtained.

http://splunk-base.splunk.com/answers/37272/compare-two-date

Thanks.

Re: Compare a date field with current date

Ayn — Wed, 19 Sep 2012 13:45:41 GMT

Do you mean that the date field is different from the event's timestamp? So you want to compare the timestamp to some date in the event?

Re: Compare a date field with current date

reed_kelly — Mon, 28 Sep 2020 12:28:15 GMT

To get the current date, you can just add:

|eval timenow=now()

This gets epoch time into the field timenow. If you want to format it, you can use strftime:

|eval nowstring=strftime(now(), "%Y-%m-%d")

If you want to convert your date to an epoch time:

|eval epochdate=strptime(yourdate, "%Y-%m-%d")

You can also use relative_time to find the epoch value of 30 days ago:

|eval epoch30days_ago=relative_time(now(), "-30d@d" )

This could be used to do a direct comparison with the strptime value from above.

Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:

|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d

Re: Compare a date field with current date

rbw78 — Mon, 28 Sep 2020 12:29:03 GMT

I tried with the following lines in my search and it works now.

eval epochevent=strptime(N_patch, "%Y/%m/%d") | eval epoch30daysago=relative_time(now(), "-30d@d" ) | where epoch30daysago>=epochevent

Thanks for your help !

Re: Compare a date field with current date

skender27 — Tue, 01 Sep 2015 14:10:48 GMT

Hi,

Thanks for this answer.
And how to control if some date and time is after or before a certain date and time (let's say in epoch time)?

Skender

Re: Compare a date field with current date

twh1 — Tue, 25 Sep 2018 17:27:04 GMT

Hi @reed.kelly,
How we can get the epoch time for relative time like -7d@h.

earliest = -7d@h

Re: Compare a date field with current date

reed_kelly — Tue, 29 Sep 2020 21:22:45 GMT

I think that is in my answer.
| makeresults
| fields - _time
| eval seven_days_on_hour=relative_time(now(), "-7d@h" )
Does that answer it?

Re: Compare a date field with current date

twh1 — Wed, 26 Sep 2018 11:58:15 GMT

Hi @reed.kelly ,
Yes, we can get this for fixed time.

I want to check the records for which CREATE_TIME match based on my date selection from time picker control. Currently I am using below query, which is always checking only for today's date.

index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day

Could you please help me to get desired result.

Re: Compare a date field with current date

reed_kelly — Wed, 26 Sep 2018 13:20:21 GMT

I have some thoughts, but this question deserves its own top-level question so that others can offer their own insight. Also, people looking for answers to questions like yours will find a more targeted answer. Don't be afraid to open a whole new question 🙂

Re: Compare a date field with current date

twh1 — Wed, 26 Sep 2018 17:35:13 GMT

I have posted this as a new question. below is the link.

https://answers.splunk.com/answers/689581/how-to-compare-the-log-date-with-time-picker-date.html

Re: Compare a date field with current date

in22915110 — Wed, 22 Apr 2020 05:15:40 GMT

Hi,

I want to compare the event time to less than Tuesday 2PM of every week, Could you please let me know if this is possible??

Thanks,
Anilkumar