Hello splunk communitie,
i am trying to make a comparison between the time in a event named Account_Expires against the time now.
I was trying a couple of things but nothing seems to work. the code below is where i gave up and asked for your help.
the idea is that there will be a tekst filled in "uitslag" if the Account_expires date is in the past from the pressent.
(edited after a response) so to conclude i am looking for a comparison beteen two time stamps, the time stamp in the field Expiration_date and the live date and not the log created date or time. after working on it and using the given answers i came up with the code below but it is still not working. i tried to convert te Account_Expire date to a number but that also didnt work.
| dedup _time
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")
| rename src_user as "veranderd door"
| eval bewerking =if(Account_Expires = "-", Account_Expires = "<never>", if(Account_Expires = "<never>",Account_Expires,tonumber(trim(Account_Expires))))
| eval Real_time =strftime(now(), "%d-%m-%Y %l:%M:%S")
| eval uitslag =if(Real_time > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag, bewerking, Real_time
| sort datum uitslag
| fields - EventCode
With Kind regards
the solution for my problem was:
| dedup _time
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")
| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag
| fields - EventCode
the solution for my problem was:
| dedup _time
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")
| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag
| fields - EventCode
Glad that you were able to find the solution. If any of the answers or comments helped you to reach at the solution, feel free to upvote (^) them. Happy splunking!
| dedup _time
| eval datum =strftime(_time, "%d-%m-%Y %l:%M %p")
| rename src_user as "veranderd door"
| eval test= Account_Expires
| eval test2=strptime(test, "%d-%m-%Y %H:%M:%S" )
| eval uitslag =if(now() > test2, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "", "geen datum opgegeven","Expire datum is in de toekomst")))
| table user,EventCode,"veranderd door",datum, Account_Expires, uitslag
| sort datum uitslag
| fields - EventCode
@jeroenborger ,
strftime
converts time to string and that's why your comparison doesn't yield result.
Try the epoch values directly
|eval test =if(now() < _time, "X", "Y")
tried that and it is not working, i edited the post with more and new info. it was comparing string length to string length and not looking at the numbers in it.
@jeroenborger ,
In your search again , you are converting now() [ which is in epoch format) to a string. Instead of doing that , you should convert the string "Account_Expires " to epoch
So your 5 ,6 , 7 lines of search window should be
| eval bewerking= if (Account_Expires = "-" OR Account_Expires = "<never>", strptime("2035-01-01","%Y-%m-%d"), strptime(Account_Expires,"%d-%m-%Y %H:%M:%S"))
| eval uitslag =if(now() > bewerking, "Expire datum is in het verleden", if(Account_Expires = "-", "geen datum opgegeven", if(Account_Expires = "<never>", "geen datum opgegeven","Expire datum is in de toekomst")))
So if account expires is - or never, we set a future date. You may change that date (2035-01-01) any future date and converted other Account_Expires date to epoch forma using strptime.
use now() instead of now
tried that and it is not working, i edited the post with more and new info