Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to compare date time present in a log with the date time selected from the time range picker?

shannu1241
New Member
‎06-20-2015 05:38 PM

I have a log, which has two time fields,

  1. _time(Log indexed time)
  2. StartDate (Date time inside the log)

When i select date range, it compares with _time.

Is there any way to compare date selected from date range with "StartDate" ?? Please help me.

0 Karma
Reply

lguinn2
Legend
‎06-20-2015 07:57 PM

If the StartDate reflects when the event happened, then the StartDate should be stored in _time. You need to set this up using props.conf on the indexer (unless you are using a heavy forwarder to collect the data). Splunk only uses the time that it indexed the data when it can't find any other timestamp automatically and nothing is configured in props.conf to tell it how to parse. You should read Configure timestamps and fix your data.

There is no way to easily select the StartDate range, as all searches are based on _time. However, if you search over "All Time" or a sufficiently large time period (last 90 days, perhaps?), you can filter based on StartDate. For this to work, StartDate will need to be a Unix-formatted time. It might work something like this.

yoursearchcriteria
| eval Start = strptime(StartDate,"%m-%d-%Y")
| where Start >=relative_time(now(),"-7d@d")

This will select events that have a StartDate within the last week. For it to work, the timerange picker will have to select all events that might have a StartDate with an appropriate time.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...