- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Subtracting Two Dates to get a Difference in D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subtracting Two Dates to get a Difference in Days
Hello,
I'd like to obtain a difference between two dates. One of these dates falls within a field in my logs called, "Opened". I'd like to minus TODAY's date from the "Opened" field value and then display the difference in days. The format of the date that in the Opened column is as such:
2019-12-16 13:09:30
Any insight on how to write the SPL for this is greatly appreciated.
index=dw sourcetype=dw
|stats count by Number, Contact, Discovery Method, State
|eval....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
|rename opened_at as InTime
|eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
|rename _time as OutTime
|eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Interestingly, this query isn't pulling anything?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
|eval FirstAuth= opened
|eval LastAuth= _time
|eval Lastlogin_duration = round((LastAuth-FirstAuth)/86400)
|table Lastlogin_duration
Hi, @itsmevic
_time is epoch. Although it looks like a character string.
opened is epoch, also. because you use strftime . OK?
How's this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought for sure that might work, but for some reason, it's still not pulling the desired results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
| eval time=_time
|table opened _time time
please copy and paste this results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try with below code
| rex field=Opened "(?[^\s]+)"
| eval "FTime"=strptime(opdate,"%Y-%m-%d")
| table FTime opdate _time
| rename _time as LTime
| eval duration = round((LTime-FTime)/86400)
| table duration
Hope this works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
| rename Opened as InTime | eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
| rename _time as OutTime | eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
