topic Re: Eval if date stamp is a certain month? in Splunk Search

Eval if date stamp is a certain month?

rkassabov — Thu, 29 Mar 2018 05:33:05 GMT

I need to eval if a date+time stamp (for example: 2018-02-22 21:54:00.380000) falls in a certain month (i.e. jan, feb, etc).

If so, I need to write data to a column of my creation, how would I accomplish this?

Re: Eval if date stamp is a certain month?

splunker12er — Thu, 29 Mar 2018 06:02:01 GMT

Try this, I took _time and convert to epoch time from there I can able to eval my month

Yoursearch| eval new_date_epoch=_time|eval month=strftime(new_date_epoch,"%b")|table _time,new_date_epoch,month,_raw

Re: Eval if date stamp is a certain month?

deepashri_123 — Tue, 29 Sep 2020 18:49:15 GMT

Hey@rkassabov,

You can try using the default splunk field "date_month"
So your query should be like:
index=.. | stats ... by date_month

Let me know if this helps!!

Re: Eval if date stamp is a certain month?

somesoni2 — Thu, 29 Mar 2018 09:36:51 GMT

Are you looking for writing a case expression to set value based on month of the timestamp (assuming _time is the field)? If yes, you can do like this

your base search
|eval month=strftime(new_date_epoch,"%b")
| eval ColOfYourCreation=case(month="jan","Specific to Jan value", month="feb","Specific to Feb value",....., true(),"Some Default value")

Re: Eval if date stamp is a certain month?

rkassabov — Thu, 29 Mar 2018 18:23:29 GMT

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

Re: Eval if date stamp is a certain month?

rkassabov — Thu, 29 Mar 2018 18:23:36 GMT

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

Re: Eval if date stamp is a certain month?

rkassabov — Thu, 29 Mar 2018 18:24:20 GMT

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

Re: Eval if date stamp is a certain month?

hos_2 — Thu, 29 Mar 2018 22:16:22 GMT

Hey Rkassabov,

Try something like this:

Your search | eval currentmonth=relative_time(now(), "@mon") | eval previousmonth=relative_time(now(),"-1mon@mon") |

In your case you can use whatever field generates 2018-02-22 21:54:00.380000 and have eval convert it to a month and then use more evals to do the math.

https://answers.splunk.com/answers/290050/how-to-extract-month-from-a-date-field-and-sort-by.html

Or you can try converting the date field into Epoch Time, which I found much easier to work with.

For example, I wanted to see only tickets from the previous month in my ticketing system (however my resolved_at field was hard to work with so I converted it to epoch time):

| eval Rtime=strptime(resolved_at, "%Y-%m-%d %H:%M:%S") | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") |  where Rtime <= end AND Rtime >= start AND _time <= end AND _time >= start |

Re: Eval if date stamp is a certain month?

somesoni2 — Thu, 29 Mar 2018 23:42:37 GMT

The |eval month=strftime(new_date_epoch,"%b") portion is where you'd specify our date+timestamp field. If you date+timestamp is a single field with value already in epoch format, just specify the field name there. If it's in string format, then you'd need to convert it to epoch within that expression, like |eval month=strftime(strptime(YourTimestampFieldHere,"TimestampFormatWillComeHere"),"%b"). The eval-case expression is where you match month and assign specific value.

Re: Eval if date stamp is a certain month?

rkassabov — Fri, 30 Mar 2018 02:38:42 GMT

I still don't understand. In the first example, how would I only perform an operation if the month in the datestamp is march?

I get that I have to convert the datestamp to make it easier to work with, but how do I check if that new epoch time is the first, second, third etc month of the year, then perform an operation?

Re: Eval if date stamp is a certain month?

rkassabov — Fri, 30 Mar 2018 03:10:30 GMT

It looks like you are comparing the datestamp to the current time and looking to see if it was in the previous month.

Re: Eval if date stamp is a certain month?

hos_2 — Mon, 02 Apr 2018 14:53:42 GMT

Hey, so the below eval will run against the current time, then extract the current month and label it as currentmonth:

| eval currentmonth=relative_time(now(), "@mon")

For example "currentmonth" returns this value today: 1522562400.000000

Put that into a website like this : https://www.epochconverter.com/

Then you have a epoch time that Splunk created for the begining of the month: GMT: Sunday, April 1, 2018 6:00:00 AM

Then the @mon part of the search, extracts specifically the month from the currently time.

You could easily tweak this to do the same to which ever field is generating your date and time.

    | eval new_date=strftime(strptime(<yourfield>, "%Y-%m-%d %H:%M:%S"),"%m")
## This will convert your field into epoch time. Then you could use something like below to tell your search which month you are looking for.
| eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") 
|  where new_date <= end AND new_date >= start AND _time <= end AND _time >= start |