https://community.splunk.com/t5/Splunk-Search/Date-field-comparison/m-p/582044#M202744 <P>Dates can only be compared in integer form.&nbsp; Use the <FONT face="courier new,courier">strptime</FONT> function to convert them to integers and then compare them.</P><LI-CODE lang="markup">index=devices | eval last24h=relative_time(now(), "-1d") | eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z") | where dls &gt; last24h | table device_last_seen</LI-CODE><P>&nbsp;</P> Fri, 21 Jan 2022 16:24:26 GMT richgalloway 2022-01-21T16:24:26Z https://community.splunk.com/t5/Splunk-Search/Date-field-comparison/m-p/582007#M202734 <P>I need help regarding comparise a ISO 8601 date field with a specific date.</P><P>Below is a simple example:</P><P><STRONG>index=devices | table device_last_seen</STRONG></P><P><EM>Results</EM>:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">device_last_seen</TD></TR><TR><TD width="100%">2022-01-21T13:09:58Z</TD></TR><TR><TD width="100%">2022-01-21T13:10:06Z</TD></TR><TR><TD width="100%">2022-01-17T14:56:00Z</TD></TR><TR><TD width="100%">2022-01-16T10:57:18Z</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>My goal is to show only the devices reported in the last 24h. It should be like this:</P><TABLE border="1"><TBODY><TR><TD width="100%">device_last_seen</TD></TR><TR><TD width="100%">2022-01-21T13:09:58Z</TD></TR><TR><TD width="100%">2022-01-21T13:10:06Z</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>However the search below didn´t return any results.</P><P>index=devices<BR />| eval last24h=relative_time(now(), "-1d")<BR />| where device_last_seen &gt; last24h<BR />| table device_last_seen</P><P><SPAN>Thank in advance for your help.</SPAN></P> Fri, 21 Jan 2022 14:05:44 GMT https://community.splunk.com/t5/Splunk-Search/Date-field-comparison/m-p/582007#M202734 alexandrebas 2022-01-21T14:05:44Z https://community.splunk.com/t5/Splunk-Search/Date-field-comparison/m-p/582044#M202744 <P>Dates can only be compared in integer form.&nbsp; Use the <FONT face="courier new,courier">strptime</FONT> function to convert them to integers and then compare them.</P><LI-CODE lang="markup">index=devices | eval last24h=relative_time(now(), "-1d") | eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z") | where dls &gt; last24h | table device_last_seen</LI-CODE><P>&nbsp;</P> Fri, 21 Jan 2022 16:24:26 GMT https://community.splunk.com/t5/Splunk-Search/Date-field-comparison/m-p/582044#M202744 richgalloway 2022-01-21T16:24:26Z