Solved: Re: Filter/search Rows based on Current date

ashanka · ‎05-01-2020

I have 3 rows like below. I need to filter rows that equals current date. Current date being may 1.

Plan Start Time

May 01, 08:00 PM
May 03 10:00 PM
Apr 30 07:00 AM

richgalloway · ‎05-01-2020

You'll have to convert the dates to epoch form to do that.

... | eval epoch = strptime('Plan Start Time', "%b %d, %H:%M %p")
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-01-2020

You'll have to convert the dates to epoch form to do that.

... | eval epoch = strptime('Plan Start Time', "%b %d, %H:%M %p")
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d")

---
If this reply helps you, Karma would be appreciated.

ashanka · ‎05-01-2020

Thanks for the resposne. But its not fetching any results now.
When i add only the eval command.. not seeing any difference in result.

ashanka · ‎05-01-2020

I fugred it out . THANKS

ashanka · ‎05-01-2020

Thanks lot

ashanka · ‎05-01-2020

Now i have re-Written the query to have 2 columns like below.

Have to filter rows when these two matches .. can i use where or search?

Plan_Start_date , today_date
May 03 May 01
May 01 May 01

richgalloway · ‎05-01-2020

This run-anywhere query works with your original output.

| makeresults 
| eval PST=
"May 01, 08:00 PM|
May 03 10:00 PM|
Apr 30 07:00 AM" 
| eval PST=split(PST, "|") 
| mvexpand PST 
`comment("Above is just set-up.")`
| eval epoch = strptime(PST, "%b %d, %H:%M %p") 
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d"))
| rename PST as "Plan Start Time"
| table "Plan Start Time"

---
If this reply helps you, Karma would be appreciated.

Filter/search Rows based on Current date

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life