topic Re: How to edit my search to compare two dates? in Splunk Search

How to edit my search to compare two dates?

splunk_hvijay — Wed, 02 Nov 2016 03:09:49 GMT

I want to compare two dates using case statement
Theoretically, case( _time > "2016-01-01") . If True, Print "Yes" in New column status1

Below is the search, but I am not getting any results. Can you please help?

index="test4" sourcetype="test2" | convert timeformat="%Y-%m-%d" ctime(_time) AS c_time | eval status1 = case(c_time < strptime(strptime("2016-01-01","%Y-%m-%d"),"%Y-%m-%d") , "Yes") |table _time, c_time,  Status1 , Name, Rank

Note: I'm using strptime twice to convey from epoch.

Re: How to edit my search to compare two dates?

gokadroid — Wed, 02 Nov 2016 04:00:09 GMT

I am assuming when you are comparing greater than or less than you mean epochNumber of _time is greater/less than epoch number of "2016-01-01". Give this a try please and adjust greater than or less than according to your like in eval status1 command:

yourBaseSearch to get the _time
|eval myNewTime=strptime("2016-01-01", "%Y-%m-%d")
| eval time1=strftime(_time, "%Y-%m-%d")
| eval epoch_time=strptime( time1, "%Y-%m-%d")
| eval status1=case( epoch_time < myNewTime, "Yes", 1=1, "No" )
| table _time, epoch_time, myNewTime, status1, Name, Rank