Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare Dates and exclude event if it is older

Noob_splunker
Explorer
‎07-11-2020 04:32 PM

Hi,

How do I compare dates and exclude the event if it is older?

I have here my table from transaction command. I want to compare the ReportedTime to Occurtime. If it is older then NeSn will be excluded.

 

exclude.png

 

ReportedTimeNeSnOccurtime

2020-07-01 23:38

117629897

29/04/2020 12:03

 

117629923

11/06/2020 23:26

 

117629924

11/06/2020 23:26

 

117629925

11/06/2020 23:26

 

117629926

11/06/2020 23:26

 

117629927

11/06/2020 23:26

 1181066135/07/2020 21:30
 11421869314/04/2020 6:32

 

Regards,

Labels (1)
Labels
Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎07-11-2020 10:51 PM

Hi @Noob_splunker 

What's the query you're using to build out this table ? It seems to me that most of your fields are multi-value fields.

You're probably better off making sure that each line has a single ReportedTime and Occurtime. Once you do that you can use the answer posted by Rich to compare both timestamps.

Cheers,

David

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2020 06:03 PM

It may be easier to exclude the events before the transaction command. For example,

| where strptime(OccurTime, "%Y-%m-%d %H:%M:%S") < strptime(ReportedTime, "%Y-%m-%d %H:%M:%S")
| transaction ...

Date strings have to be converted to integers before they can be compared.  Hence the strptime() calls.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Noob_splunker
Explorer
‎07-11-2020 09:21 PM

Hi @richgalloway 

Thanks for your reply. I tried to add it before or after the transaction but it is still giving me the old dates.

Capture11.PNG

 

Regards,

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...