Join the Conversation
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Subtracting Two Dates to get a Difference in Days
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subtracting Two Dates to get a Difference in Days
Hello,
I'd like to obtain a difference between two dates. One of these dates falls within a field in my logs called, "Opened". I'd like to minus TODAY's date from the "Opened" field value and then display the difference in days. The format of the date that in the Opened column is as such:
2019-12-16 13:09:30
Any insight on how to write the SPL for this is greatly appreciated.
index=dw sourcetype=dw
|stats count by Number, Contact, Discovery Method, State
|eval....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
|rename opened_at as InTime
|eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
|rename _time as OutTime
|eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Interestingly, this query isn't pulling anything?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
|eval FirstAuth= opened
|eval LastAuth= _time
|eval Lastlogin_duration = round((LastAuth-FirstAuth)/86400)
|table Lastlogin_duration
Hi, @itsmevic
_time is epoch. Although it looks like a character string.
opened is epoch, also. because you use strftime . OK?
How's this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought for sure that might work, but for some reason, it's still not pulling the desired results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=dw sourcetype=*
| eval time=_time
|table opened _time time
please copy and paste this results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try with below code
| rex field=Opened "(?[^\s]+)"
| eval "FTime"=strptime(opdate,"%Y-%m-%d")
| table FTime opdate _time
| rename _time as LTime
| eval duration = round((LTime-FTime)/86400)
| table duration
Hope this works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
| rename Opened as InTime | eval "FirstAuth"= strftime((InTime ),"%d.%m.%y")
| rename _time as OutTime | eval "LastAuth"= strftime((OutTime ),"%d.%m.%y")
|eval Lastloginduration = round((LastAuth-FirstAuth)/86400)
|table Lastloginduration
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
