Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Substract two dates

boo_com
Explorer
‎07-06-2021 04:33 AM

Hi all,

I am really struggling with subtracting  two dates from each other. It sounds that easy but drives me literally crazy.

All I want is, to subtract now() from a calculated date field.

 

 

| eval temp = relative_time(a, b)
| eval newdate = temp - now()

 

 

temp has a value of "1625634900.000000"

newdate will always be 01.01.1970. What am I missing?

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2021 05:24 AM

Hi @boo_com ,

the way is the one in my previous answer, but you can display a number that means the second remaining, but not a date!

Why did you used that way to convert a date in epochtime?

you could easily run something like this:

your_search
| eval date=strptime("06.07.2021","%d.%m.%Y")
| eval temp=relative_time(date,"1d@d+07h+15m")
| eval diff=temp-now()
| table diff

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

boo_com
Explorer
‎07-06-2021 05:07 AM

Hi guys!

Thank you for your quick response! So Giuseppe explained it very well. I want to get the difference between two dates. One date is calculated, the other date is just now(). I want something like a countdown, printed in a new field showing the time left.

| eval date = strptime(substr("06.07.2021",7,4)+"/"+substr("06.07.2021",4,2)+"/"+substr("06.07.2021",0,2), "%Y/%m/%d")
| eval offset = @d+1d+07h+15m
| eval temp = relative_time(date, offset)

date can be in the future or in the past.

How can I subtract temp from now() to receive the difference between those two dates?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2021 05:24 AM

Hi @boo_com ,

the way is the one in my previous answer, but you can display a number that means the second remaining, but not a date!

Why did you used that way to convert a date in epochtime?

you could easily run something like this:

your_search
| eval date=strptime("06.07.2021","%d.%m.%Y")
| eval temp=relative_time(date,"1d@d+07h+15m")
| eval diff=temp-now()
| table diff

Ciao.

Giuseppe

Reply
Solved! Jump to solution

boo_com
Explorer
‎07-06-2021 05:42 AM

nice, thank you so much! The difference is returned in seconds. That way I easily can calculate remaining minutes, hours and days!

Yes you are right, I do not need the "substr" function 🙂

 

Thanks again,

Peter

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2021 04:49 AM

Hi @boo_com,

if you convert the result of the relative_time  you have "2021-07-07" (in other words tomorrow!).

Let me understand:

  • "a" is a date,
  • "b" id a time modifier (e.g. "-2d")
  • you calculate a new date using relative time, that seems to be in the future,
  • then you want to calculate the difference between the new date and now,

is it correct?

But in this way you haven't a date but a time difference between two dates, so it hasn't reason to display the difference in a date format.

Could you better describe your need?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-06-2021 04:47 AM

@boo_com 

Can you please share more details about a and b fields ?? 

And why newdate will always be 01.01.1970. ?

KV

 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...