Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate Days from current date custom date

kpavan
Path Finder
‎12-11-2017 07:43 AM

Hi All,

Need help on below query to calculate ticket age from ticket creation date with current date. Please help me to fix this query. From below query am not getting the ticket_age its giving me the blank field, but both current date and ticket creation date's are getting converted correctly. But not sure where is missing. Please help me on this.

base search
|eval Tday=now()
|eval Today=strftime(now(), "%Y-%d-%m")
|eval CREATION_DATE=strftime(strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"),"%Y-%m-%d")
|eval TICKET_AGE=(Today - CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Thanks!
Pavan

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-11-2017 07:52 AM

Hi kpavan,
to calculate a difference between two dates, you have to convert them in epochtime using strptime:

base search
|eval CREATION_DATE=strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"), TICKET_AGE=(now()-CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-11-2017 08:22 AM

@kpavan, if you want to use string time you need to conver the fields to YYYYmmdd not YYYY-mm-dd otherwise it will be treated as string not number. You can try out the following query. In your query there is also a mistake with the two string date formats being different i.e. %Y-%m-%d and %Y-%d-%m

| makeresults
| eval TICKET_CREATION_DATE="2017-10-11 10:20:30"
| eval Today=strftime(now(), "%Y%m%d")
| eval CREATION_DATE=strftime(strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"),"%Y%m%d")
| eval TICKET_AGE=(Today - CREATION_DATE)

However, you are better off using strptime to convert to epoch time. You can use fieldformat to display epoch time as string time.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-11-2017 07:52 AM

Hi kpavan,
to calculate a difference between two dates, you have to convert them in epochtime using strptime:

base search
|eval CREATION_DATE=strptime(TICKET_CREATION_DATE, "%Y-%m-%d %H:%M:%S"), TICKET_AGE=(now()-CREATION_DATE)
|table Request_Status CREATION_DATE TICKET_AGE

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kpavan
Path Finder
‎12-11-2017 08:17 AM

Thanks Giuseppe Its working!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...