topic Re: How to compare a certain date/time in epoch format with a fixed date/time in human readable format? in Splunk Search

How to compare a certain date/time in epoch format with a fixed date/time in human readable format?

skender27 — Tue, 01 Sep 2015 14:31:08 GMT

Hi,

I'd like to compare two dates and time (if A<=B):
the one, let's call it A, I have it already in epoch time and the second, let's call it B, is a fixed date and time, which is exactly 31-08-2015 23:59:59.

I tried it like this (converted A in human readable date/time):

| eval compare = strftime(A, "%d-%m-%Y %T")
| where compare<=B*

but it doesn't work...

Any suggestion,

Thanks,
Skender

Re: How to compare a certain date/time in epoch format with a fixed date/time in human readable format?

aarontimko — Tue, 01 Sep 2015 14:41:11 GMT

My understanding is strftime will result in a Formatted string whereas strptime will result in a Parsed timestamp, so if you want to compare timestamps, you will want the value to be a timestamp, not a string.

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonEvalFunctions
(Scroll down to "Date and Time functions")

I think if you try strptime like in this answer, it will work:
https://answers.splunk.com/answers/37272/compare-two-date.html

Re: How to compare a certain date/time in epoch format with a fixed date/time in human readable format?

somesoni2 — Tue, 01 Sep 2015 15:03:28 GMT

Try something like this

your current search giving field A in epoch | where A<=strptime("31-08-2015 23:59:59","%d-%m-%Y %H:%M:%S")

Re: How to compare a certain date/time in epoch format with a fixed date/time in human readable format?

skender27 — Tue, 01 Sep 2015 15:15:38 GMT

Thank you!
I inserted the "| where" inside the macro I used in the report.

It works perfectly now!
Skender K.