Splunk Enterprise Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Subtracting Two Dates to get a Difference in Days
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subtracting Two Dates to get a Difference in Days
itsmevic
Communicator
01-21-2020
10:13 AM
Hello,
I'd like to obtain a difference between two dates. One of these dates falls within a field in my logs called, "Opened". I'd like to minus TODAY's date from the "Opened" field value and then display the difference in days. The format of the date that in the Opened column is as such:
2019-12-16 13:09:30
Any insight on how to write the SPL for this is greatly appreciated.
index=dw sourcetype=dw
|stats count by Number, Contact, Discovery Method, State
|eval....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
itsmevic
Communicator
01-21-2020
11:03 AM
index=dw sourcetype=*
|rename opened_at as InTime
|eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
|rename _time as OutTime
|eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Interestingly, this query isn't pulling anything?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-21-2020
03:40 PM
index=dw sourcetype=*
|eval FirstAuth= opened
|eval LastAuth= _time
|eval Lastlogin_duration = round((LastAuth-FirstAuth)/86400)
|table Lastlogin_duration
Hi, @itsmevic
_time is epoch. Although it looks like a character string.
opened is epoch, also. because you use strftime . OK?
How's this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
itsmevic
Communicator
01-21-2020
04:28 PM
I thought for sure that might work, but for some reason, it's still not pulling the desired results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
01-21-2020
06:28 PM
index=dw sourcetype=*
| eval time=_time
|table opened _time time
please copy and paste this results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anantha123
Communicator
01-22-2020
08:33 AM
Please try with below code
| rex field=Opened "(?[^\s]+)"
| eval "FTime"=strptime(opdate,"%Y-%m-%d")
| table FTime opdate _time
| rename _time as LTime
| eval duration = round((LTime-FTime)/86400)
| table duration
Hope this works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anantha123
Communicator
01-21-2020
10:46 AM
try this
| rename Opened as InTime | eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
| rename _time as OutTime | eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
