All Apps and Add-ons

how to get the time from a field

Path Finder

Hi all,

I have a saved search which is directly extracted from the database, the date formate is like below: 13:02:01 2016-03-28, now i want to extract the date and only display those records for yesterday, but nothing happened when I create a new column with below search:

|savedsearch **
|eval day=strftime(date,"%Y-%m-%d")
|eval now=strftime(now(), "%Y-%m-%d")
|eval timeinterval=now-day
|where time
interval="1"

The problems is that "day" field can't be created using this, it seems that strftime function can't works on saved search or something. I also tried another search to extract date, but it also failed, "completeday" could be created and display as "2016-03-28" for instance, but when I create timeinterval, it can't be calculated as a number.

|savedsearch rtvisits
|eval temp=split(date," ")
| eval complete
day=mvindex(temp,1)
|eval nowstring=strftime(now(), "%Y-%m-%d")
|eval timeinterval=nowstring-completeday

Can anyone help me on this question? Thanks a lot.

1 Solution

Esteemed Legend

You can use strftime in any search.
The problem with now is that it is already in epoch.
The problem with day is that date is not in epoch so you either need to convert to epoch or use string functions; try this instead
The problem with your search is that you are not creating epoch fields (using the wrong function) so your subtraction cannot work.
I assume that are try to check if the date on the event is not "today". If so, Try this (note that time_interval is in seconds and 1 day has 606024 seconds).

| savedsearch **
| eval day=strptime(date,"%H:%M:%S %Y-%m-%d") | bucket date span=1d
| eval now=now() | bucket now span=1d
| eval time_interval = now - day
| search time_interval>0

View solution in original post

Esteemed Legend

You can use strftime in any search.
The problem with now is that it is already in epoch.
The problem with day is that date is not in epoch so you either need to convert to epoch or use string functions; try this instead
The problem with your search is that you are not creating epoch fields (using the wrong function) so your subtraction cannot work.
I assume that are try to check if the date on the event is not "today". If so, Try this (note that time_interval is in seconds and 1 day has 606024 seconds).

| savedsearch **
| eval day=strptime(date,"%H:%M:%S %Y-%m-%d") | bucket date span=1d
| eval now=now() | bucket now span=1d
| eval time_interval = now - day
| search time_interval>0

View solution in original post

Path Finder

Dear all

Issue has been fixed by below command, Thanks a lot for all your help.
| savedsearch **
| eval date = strptime(date, "%H:%M:%S %Y-%m-%d")
| where date<= relativetime(now(),"@d") AND (date>= relativetime(now(),"-1d@d"))

0 Karma

Path Finder

Hi Woodcock,

Thanks again for your help, with your search, i can both get now and day column as unix epoch, and result is displayed like below:
day time_interval
1459141321.000000 101713.232931

so how can I change time_interval as a readable formate like the difference days between current day and the recode day (in the date column)? since I only want to select yesterday's result, and it is very hard for me to filter.

Thanks

0 Karma