How to calculate the difference between a specific...

balleste · ‎10-07-2016

Hello,

I have the following output:

"ACME Enterprises","227671","bugs.bunny@acme.com","","","2016-10-01","14:18:11","Entertainment","Test"

I wanted to calculate today's date minus the date in the output (2016-06-30) and table like so:

ACME Enterprises, 2016-06-30, 6

Any help would be great.

woodcock · ‎10-08-2016

You need to use epoch times and the relative_time command with -60d:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

cmerriman · ‎10-07-2016

...|convert mktime(_time) as time|eval days=round((now()-time)/86400,0)

possibly something like this. mktime converts human readable to epoch, then using that to subtract from the current timestamp and dividing by the seconds in a day, that should give you total days.

richgalloway · ‎10-07-2016

There is no built-in function to subtract dates. You must first convert both dates into epoch form, do the calculation, then convert the result into readable form.

... | eval eDate = strptime(<your date field>,"%Y/%m/%d") | eval days = (now() - eDate)/86400 | table foo, <your date field>, days

---
If this reply helps you, Karma would be appreciated.

vr2312 · ‎10-07-2016

index=xyz| eval OldTime = relative_time(now(),"-60d") | table OldTime timestamp | eval OldTime=strftime(OldTime,"%Y-%m-%d %H:%M:%S")

This should work @balleste

gfreitas · ‎10-07-2016

Not very sure if I understood your question. You want to take 07/Oct - 01/Oct and receive 30/Jun??

How to calculate the difference between a specific date and the last 60 days?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!