Archive

compare a time in a log file to time now

Explorer

Hello splunk communitie,

i am trying to make a comparison between the time in a event named Account_Expires against the time now.
I was trying a couple of things but nothing seems to work. the code below is where i gave up and asked for your help.

the idea is that there will be a tekst filled in "uitslag" if the Account_expires date is in the past from the pressent.

(edited after a response) so to conclude i am looking for a comparison beteen two time stamps, the time stamp in the field Expiration_date and the live date and not the log created date or time. after working on it and using the given answers i came up with the code below but it is still not working. i tried to convert te Account_Expire date to a number but that also didnt work.

| dedup _time  
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")  
| rename src_user as "veranderd door" 
| eval bewerking =if(Account_Expires = "-", Account_Expires = "<never>", if(Account_Expires = "<never>",Account_Expires,tonumber(trim(Account_Expires)))) 
| eval Real_time =strftime(now(), "%d-%m-%Y %l:%M:%S")
| eval uitslag =if(Real_time > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst"))) 
| table  user,EventCode,"veranderd door",datum, Account_Expires, uitslag, bewerking, Real_time
| sort  datum uitslag  
| fields  - EventCode

picture to clarify

With Kind regards

Tags (1)
0 Karma
1 Solution

Explorer

the solution for my problem was:

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

View solution in original post

0 Karma

Explorer

the solution for my problem was:

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Glad that you were able to find the solution. If any of the answers or comments helped you to reach at the solution, feel free to upvote (^) them. Happy splunking!

0 Karma

Explorer

| dedup _time

| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")

| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag

| fields - EventCode

0 Karma

SplunkTrust
SplunkTrust

@jeroenborger ,

strftime converts time to string and that's why your comparison doesn't yield result.

Try the epoch values directly

|eval test =if(now() < _time, "X", "Y") 
0 Karma

Explorer

tried that and it is not working, i edited the post with more and new info. it was comparing string length to string length and not looking at the numbers in it.

0 Karma

SplunkTrust
SplunkTrust

@jeroenborger ,
In your search again , you are converting now() [ which is in epoch format) to a string. Instead of doing that , you should convert the string "Account_Expires " to epoch

So your 5 ,6 , 7 lines of search window should be

 | eval bewerking= if (Account_Expires = "-" OR Account_Expires = "<never>", strptime("2035-01-01","%Y-%m-%d"), strptime(Account_Expires,"%d-%m-%Y %H:%M:%S"))
 | eval uitslag =if(now() > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst"))) 

So if account expires is - or never, we set a future date. You may change that date (2035-01-01) any future date and converted other Account_Expires date to epoch forma using strptime.

0 Karma

Path Finder

use now() instead of now

0 Karma

Explorer

tried that and it is not working, i edited the post with more and new info

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!