Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter/search Rows based on Current date

ashanka
Explorer
‎05-01-2020 11:27 AM

I have 3 rows like below. I need to filter rows that equals current date. Current date being may 1.

Plan Start Time

May 01, 08:00 PM
May 03 10:00 PM
Apr 30 07:00 AM

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2020 11:44 AM

You'll have to convert the dates to epoch form to do that.

... | eval epoch = strptime('Plan Start Time', "%b %d, %H:%M %p")
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d")
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2020 11:44 AM

You'll have to convert the dates to epoch form to do that.

... | eval epoch = strptime('Plan Start Time', "%b %d, %H:%M %p")
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d")
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ashanka
Explorer
‎05-01-2020 11:56 AM

Thanks for the resposne. But its not fetching any results now.
When i add only the eval command.. not seeing any difference in result.

0 Karma
Reply
Solved! Jump to solution

ashanka
Explorer
‎05-01-2020 12:25 PM

I fugred it out . THANKS

0 Karma
Reply
Solved! Jump to solution

ashanka
Explorer
‎05-01-2020 12:25 PM

Thanks lot

0 Karma
Reply
Solved! Jump to solution

ashanka
Explorer
‎05-01-2020 12:07 PM

Now i have re-Written the query to have 2 columns like below.

Have to filter rows when these two matches .. can i use where or search?

Plan_Start_date , today_date
May 03 May 01
May 01 May 01

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-01-2020 12:23 PM

This run-anywhere query works with your original output.

| makeresults 
| eval PST=
"May 01, 08:00 PM|
May 03 10:00 PM|
Apr 30 07:00 AM" 
| eval PST=split(PST, "|") 
| mvexpand PST 
`comment("Above is just set-up.")`
| eval epoch = strptime(PST, "%b %d, %H:%M %p") 
| where (epoch >= relative_time(now(), "@d") AND epoch < relative_time(now(), "+1d@d"))
| rename PST as "Plan Start Time"
| table "Plan Start Time"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...