Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: In the following query, what is wrong with thi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the following query, what is wrong with this date difference?
collinlorb
Engager
11-16-2018
04:33 AM
Below is my code: I have followed suggestions found on here for date & time difference, yet this one is not working. What's wrong with it?
| from datamodel:"TestTable"
| where scope LIKE "Test%"
| where us_schedule_state like "Accepted"
| where !LIKE(iteration, "%G")
| eval EndDate = strptime(AcceptedDate, "%Y-%m-%d")
| eval StartDate = strptime(trans_to_inprogress_date, "%Y-%m-%d")
| eval DateDiff = tostring((EndDate - StartDate), "duration")
| eval Date = strftime(1533096000.000000, "%Y-%m-%d %H:%S")
| where strftime(StartDate, "%Y-%m-%d %H:%S") > Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-19-2018
08:39 AM
Both operands in your last where clause are string. To compare dates, use the epoch formatted value.
| from datamodel:"TestTable"
| where scope LIKE "Test%"
| where us_schedule_state like "Accepted"
| where !LIKE(iteration, "%G")
| eval EndDate = strptime(AcceptedDate, "%Y-%m-%d")
| eval StartDate = strptime(trans_to_inprogress_date, "%Y-%m-%d")
| eval DateDiff = tostring((EndDate - StartDate), "duration")
| eval Date = strftime(1533096000.000000, "%Y-%m-%d %H:%S")
| where StartDate > strptime(Date, "%Y-%m-%d %H:%S")
OR simply
| from datamodel:"TestTable"
| where scope LIKE "Test%"
| where us_schedule_state like "Accepted"
| where !LIKE(iteration, "%G")
| eval EndDate = strptime(AcceptedDate, "%Y-%m-%d")
| eval StartDate = strptime(trans_to_inprogress_date, "%Y-%m-%d")
| eval DateDiff = tostring((EndDate - StartDate), "duration")
| eval Date = strftime(1533096000.000000, "%Y-%m-%d %H:%S")
| where StartDate > 1533096000.000000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morethanyell
Builder
11-16-2018
06:02 AM
| where strftime(StartDate, "%Y-%m-%d %H:%S") > Date
the code above parses Hour : Second which doesn't make sense
also, try this
| eval EndDate = strptime(AcceptedDate . " 00:00:00", "%Y-%m-%d %H:%M:%S")
| eval StartDate = strptime(trans_to_inprogress_date . " 00:00:00", "%Y-%m-%d %H:%M:%S")
EDIT
if above doesn't work because you mentioned the time format looks like "2018-11-16T14:10:20.969Z", try this:
| rex field=AcceptedDate "(?<date_ymd_ad>[^/]*)T(?<date_hms_ad>[^//]*)."
| rex field=trans_to_inprogress_date "(?<date_ymd_ttid>[^/]*)T(?<date_hms_ttid>[^//]*)."
| eval EndDate = strptime(date_ymd_ad . " " . date_hms_ad, "%F %X.%3N")
| eval StartDate = strptime(date_ymd_ttid . " " . date_hms_ttid, "%F %X.%3N")
| eval DateDiff = tostring(round(EndDate - StartDate, 3), "duration")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
collinlorb
Engager
11-16-2018
06:30 AM
That code actually returns nothing for StartDate or EndDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
collinlorb
Engager
11-16-2018
07:28 AM
Could this be because of the format of the field that I am using strptime for in the first place? Here is what it looks like.
2018-11-16T14:56:20.969Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morethanyell
Builder
11-18-2018
06:04 PM
| rex field=AcceptedDate "(?<date_ymd_ad>[^/]*)T(?<date_hms_ad>[^//]*)."
| rex field=trans_to_inprogress_date "(?<date_ymd_ttid>[^/]*)T(?<date_hms_ttid>[^//]*)."
| eval EndDate = strptime(date_ymd_ad . " " . date_hms_ad, "%F %X.%3N")
| eval StartDate = strptime(date_ymd_ttid . " " . date_hms_ttid, "%F %X.%3N")
| eval DateDiff = tostring(round(EndDate - StartDate, 3), "duration")
Get Updates on the Splunk Community!
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...
IM Landing Page Filter - Now Available
We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...
