Archive

Compare date in search

New Member

I have events containing field "AgentLocalTime="9/19/2016 1:36:19 PM", I use EVAL to format the time "eval final_time=strftime(strptime(AgentLocalTime,"%m/%d/%Y %l:%M:%S %p"),"%Y-%b-%d")" and also I EVAL starttime and endtime as below:
startdate=strptime("3/1/2016","%m/%d/%Y")
end
date=strptime("8/31/2016","%m/%d/%Y")

can i compare final_time between start_date and end_date like below:
| where finaltime>starttime AND finaltime<endtime

is there any solution if it can't.

thanks.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can keep (at least temporarily) the format of finaltime to epoch and then you can compare it with starttime and end_time, like this

...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")

View solution in original post

0 Karma

New Member

thanks, it works now.

0 Karma

SplunkTrust
SplunkTrust

You can keep (at least temporarily) the format of finaltime to epoch and then you can compare it with starttime and end_time, like this

...your search | eval final_time=strptime(Agent_Local_Time,"%m/%d/%Y %l:%M:%S %p") | evalstart_date=strptime("3/1/2016","%m/%d/%Y") | eval end_date=strptime("8/31/2016","%m/%d/%Y")
| where final_time>start_time AND final_time<end_time |eval final_time=strftime(final_time,"%Y-%b-%d")

View solution in original post

0 Karma