Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter events based on event's datetime as current date?

vtsguerrero
Contributor
‎08-12-2015 01:02 PM

Hello! Sup?
I've been into some trouble when comparing datetimes to strings, I know I should convert'em.
Logs I've received are in this format:

CAMPAIGN_START_TIME
00:01:05

CAMPAIGN_END_TIME
00:06:12

CAMPAIGN_DATE
04/08/2015

So, what I did, was create a datetime based on these fields:

| eval CAMPAIGN_COMPLETE_DATE = (CAMPAIGN_DATE+ " " + CAMPAIGN_START_TIME)

The thing is, I need to make splunk filter results, based on this date, not the acctual _time filter.
So I was gonna compare CAMPAIGN_COMPLETE_DATE to "Today"

| eval Today = strftime(now(), "%d/%m/%Y %H:%M:%S")

But I'm having some issues due to string comparisson to datetime.
Does anyone know how can I solve this?
Thanks in advance!

- Vinicius Guerrero

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎08-12-2015 01:33 PM

Hi vtsguerrero,

you can use strptime on the CAMPAIGN_COMPLETE_DATE like this:

... | eval Today = strftime(now(), "%d/%m/%Y %H:%M:%S") | eval searchTime = strptime(CAMPAIGN_COMPLETE_DATE, "%d/%m/%Y %H:%M:%S") | where searchTime  = Today  | ...

From the docs http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions about strptime 

This function takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎08-12-2015 01:33 PM

Hi vtsguerrero,

you can use strptime on the CAMPAIGN_COMPLETE_DATE like this:

... | eval Today = strftime(now(), "%d/%m/%Y %H:%M:%S") | eval searchTime = strptime(CAMPAIGN_COMPLETE_DATE, "%d/%m/%Y %H:%M:%S") | where searchTime  = Today  | ...

From the docs http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonEvalFunctions about strptime 

This function takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎08-14-2015 01:21 PM

Is it possible to filter between datetimes of event date?
For example, I need to filter a window between 23:00:00 and 06:00:00 but of the current day.
Considering current day as event date, is it possible to achieve this datetime window?
Thanks in advance @ MuS ♦

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...