Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Calculate Days from current date custom date

kpavan
Path Finder
‎12-11-2017 07:43 AM

Hi All,

Need help on below query to calculate ticket age from ticket creation date with current date. Please help me to fix this query. From below query am not getting the ticket_age its giving me the blank field, but both current date and ticket creation date's are getting converted correctly. But not sure where is missing. Please help me on this.

base search
|eval Tday=now()
|eval Today=strftime(now(), "%Y-%d-%m")
|eval CREATION_DATE=strftime(strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d")
|eval TICKET_AGE=(Today - CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Thanks!
Pavan

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-11-2017 07:52 AM

Hi kpavan,
to calculate a difference between two dates, you have to convert them in epochtime using strptime:

base search
|eval CREATION_DATE=strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"), TICKET_AGE=(now()-CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-11-2017 08:22 AM

@kpavan, if you want to use string time you need to conver the fields to YYYYmmdd not YYYY-mm-dd otherwise it will be treated as string not number. You can try out the following query. In your query there is also a mistake with the two string date formats being different i.e. %Y-%m-%d and %Y-%d-%m

| makeresults
| eval TICKET_CREATION_DATE="2017-10-11 10:20:30"
| eval Today=strftime(now(), "%Y%m%d")
| eval CREATION_DATE=strftime(strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"),"%Y%m%d")
| eval TICKET_AGE=(Today - CREATION_DATE)

However, you are better off using strptime to convert to epoch time. You can use fieldformat to display epoch time as string time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-11-2017 07:52 AM

Hi kpavan,
to calculate a difference between two dates, you have to convert them in epochtime using strptime:

base search
|eval CREATION_DATE=strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"), TICKET_AGE=(now()-CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kpavan
Path Finder
‎12-11-2017 08:17 AM

Thanks Giuseppe Its working!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...