Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filtering data from lookup csv file based on time difference

sambit_kabi
Path Finder
‎02-13-2020 05:33 AM

I have a lookup csv file which has the following data.
Day Messages
12/02/2020 1571
12/02/2020 302
12/02/2020 1

What I want to do is read the Day column and then subtract the day from today's date to check if the difference is greater than 30.
If the diff > 30 filter it out.

I tried the following query and it doesn't work.

| inputlookup messages_per_day.csv | eval today=strftime(now(), "%d/%m/%Y") | eval diff=today - Day

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sambit_kabi
Path Finder
‎02-14-2020 10:51 PM

I managed to solve this in the following manner. Though it may not be efficient but it worked for me.

Instead of the date I kept the time as "seconds from epoch" in the csv file which looked like(assume the data is dummy).

Day Messages
12022020 1571
12022020 302
12022020 1

Then using the following construct i was able to take a diff and compare it.
| inputlookup abc.csv | eval today=relative_time(now(), "%d") | eval diff = today - Day | where diff <= 86400

I am sure the strptime function should have done the job too with my previous approach but somehow in my case it didn't convert the date in the csv to date that can be compared. So I took this approach. Still trying to figure out why strptime didn't work.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sambit_kabi
Path Finder
‎02-14-2020 10:51 PM

I managed to solve this in the following manner. Though it may not be efficient but it worked for me.

Instead of the date I kept the time as "seconds from epoch" in the csv file which looked like(assume the data is dummy).

Day Messages
12022020 1571
12022020 302
12022020 1

Then using the following construct i was able to take a diff and compare it.
| inputlookup abc.csv | eval today=relative_time(now(), "%d") | eval diff = today - Day | where diff <= 86400

I am sure the strptime function should have done the job too with my previous approach but somehow in my case it didn't convert the date in the csv to date that can be compared. So I took this approach. Still trying to figure out why strptime didn't work.

0 Karma
Reply
Solved! Jump to solution

spayneort
Contributor
‎02-13-2020 11:13 PM 
| inputlookup messages_per_day.csv 
| where relative_time(now(),"-30d@d") < strptime(Day, "%d/%m/%Y")
0 Karma
Reply
Solved! Jump to solution

sambit_kabi
Path Finder
‎02-14-2020 10:43 PM

Thanks for the help. I used the relative_time function as you pointed out. That came in handy.
Unfortunately the strptime function didn't work for me as I have mentioned before. It didn't convert the time in csv to time to be compared. I don't get result for today variable.

However I managed to find a solution by dumping the time in "secs from epoch" in the csv and then compared the diff between the today's start time with the time in csv.

used constructs like | eval diff=relative_time(now(), "@d") - Day | where diff < 86400.

Still wondering why strptime didn't work for me. However I found that | convert ctime(Day) did work for me

Is there any condition that strptime has when used with inputlookup. Nothing mentioned in the documentation.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-13-2020 05:51 AM

Timestamps cannot be compared in string form. Try the inverse of your query.

| inputlookup messages_per_day.csv | eval today=strptime(Day, "%d/%m/%Y") | eval diff=now() - today
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sambit_kabi
Path Finder
‎02-14-2020 10:40 PM

Thanks for the help. Unfortunately the strptime function didn't work for me. It didn't convert the time in csv to time to be compared. I don't get result for today variable.

However I managed to find a solution by dumping the time in "secs from epoch" in the csv and then compared the diff between the today's start time with the time in csv.

used constructs like | eval diff=relative_time(now(), "@d") - Day | where diff < 86400.

Still wondering why strptime didn't work for me. However I found that | convert ctime(Day) did work for me.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...