Hello,
I have some events into splunk which I would like to compare with today's date less than 30 days.
I want to exctract all the events which are older than 30 days like this.
The date field in the events has this form : Date="2012-09-24" which is %Y-%m-%d
How could I get the current splunk date in my search and make a compare with the date field ?
I suppose the use of epoch values as proposed here could be a solution once the current date obtained.
http://splunk-base.splunk.com/answers/37272/compare-two-date
Thanks.
To get the current date, you can just add:
|eval timenow=now()
This gets epoch time into the field timenow. If you want to format it, you can use strftime:
|eval nowstring=strftime(now(), "%Y-%m-%d")
If you want to convert your date to an epoch time:
|eval epochdate=strptime(yourdate, "%Y-%m-%d")
You can also use relative_time to find the epoch value of 30 days ago:
|eval epoch30days_ago=relative_time(now(), "-30d@d" )
This could be used to do a direct comparison with the strptime value from above.
Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:
|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d
To get the current date, you can just add:
|eval timenow=now()
This gets epoch time into the field timenow. If you want to format it, you can use strftime:
|eval nowstring=strftime(now(), "%Y-%m-%d")
If you want to convert your date to an epoch time:
|eval epochdate=strptime(yourdate, "%Y-%m-%d")
You can also use relative_time to find the epoch value of 30 days ago:
|eval epoch30days_ago=relative_time(now(), "-30d@d" )
This could be used to do a direct comparison with the strptime value from above.
Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:
|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d
Hi @reed.kelly,
How we can get the epoch time for relative time like -7d@h.
earliest = -7d@h
I think that is in my answer.
| makeresults
| fields - _time
| eval seven_days_on_hour=relative_time(now(), "-7d@h" )
Does that answer it?
Hi @reed.kelly ,
Yes, we can get this for fixed time.
I want to check the records for which CREATE_TIME match based on my date selection from time picker control. Currently I am using below query, which is always checking only for today's date.
index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day
Could you please help me to get desired result.
I have some thoughts, but this question deserves its own top-level question so that others can offer their own insight. Also, people looking for answers to questions like yours will find a more targeted answer. Don't be afraid to open a whole new question 🙂
I have posted this as a new question. below is the link.
https://answers.splunk.com/answers/689581/how-to-compare-the-log-date-with-time-picker-date.html
Hi,
Thanks for this answer.
And how to control if some date and time is after or before a certain date and time (let's say in epoch time)?
Skender
I tried with the following lines in my search and it works now.
eval epochevent=strptime(N_patch, "%Y/%m/%d") | eval epoch30daysago=relative_time(now(), "-30d@d" ) | where epoch30daysago>=epochevent
Thanks for your help !
Do you mean that the date field is different from the event's timestamp? So you want to compare the timestamp to some date in the event?
Hi,
I want to compare the event time to less than Tuesday 2PM of every week, Could you please let me know if this is possible??
Thanks,
Anilkumar