Splunk Search

Compare a date field with current date

rbw78
Communicator

Hello,

I have some events into splunk which I would like to compare with today's date less than 30 days.
I want to exctract all the events which are older than 30 days like this.

The date field in the events has this form : Date="2012-09-24" which is %Y-%m-%d

How could I get the current splunk date in my search and make a compare with the date field ?
I suppose the use of epoch values ​​as proposed here could be a solution once the current date obtained.

http://splunk-base.splunk.com/answers/37272/compare-two-date

Thanks.

Tags (2)
1 Solution

reed_kelly
Contributor

To get the current date, you can just add:

|eval timenow=now()

This gets epoch time into the field timenow. If you want to format it, you can use strftime:

|eval nowstring=strftime(now(), "%Y-%m-%d")

If you want to convert your date to an epoch time:

|eval epochdate=strptime(yourdate, "%Y-%m-%d")

You can also use relative_time to find the epoch value of 30 days ago:

|eval epoch30days_ago=relative_time(now(), "-30d@d" )

This could be used to do a direct comparison with the strptime value from above.

Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:

|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d

View solution in original post

reed_kelly
Contributor

To get the current date, you can just add:

|eval timenow=now()

This gets epoch time into the field timenow. If you want to format it, you can use strftime:

|eval nowstring=strftime(now(), "%Y-%m-%d")

If you want to convert your date to an epoch time:

|eval epochdate=strptime(yourdate, "%Y-%m-%d")

You can also use relative_time to find the epoch value of 30 days ago:

|eval epoch30days_ago=relative_time(now(), "-30d@d" )

This could be used to do a direct comparison with the strptime value from above.

Finally, you can do the strptime and set it to _time. This would allow you to set the time range directly:

|eval _time=strptime(yourdate, "%Y-%m-%d") |search latest=-30d

twh1
Communicator

Hi @reed.kelly,
How we can get the epoch time for relative time like -7d@h.

earliest = -7d@h

0 Karma

reed_kelly
Contributor

I think that is in my answer.
| makeresults
| fields - _time
| eval seven_days_on_hour=relative_time(now(), "-7d@h" )
Does that answer it?

0 Karma

twh1
Communicator

Hi @reed.kelly ,
Yes, we can get this for fixed time.

I want to check the records for which CREATE_TIME match based on my date selection from time picker control. Currently I am using below query, which is always checking only for today's date.

index=os_na sourcetype="oracle_os:healthcheck" "ADR Home =" | multikv | table HOSTNAME INCIDENT_ID PROBLEM_KEY CREATE_TIME TIMESTAMP | dedup INCIDENT_ID | eval create_day=substr(CREATE_TIME, 1, 10) | eval now_day = strftime(now(), "%m/%d/%Y") | where INCIDENT_ID!=" " AND create_day==now_day

Could you please help me to get desired result.

0 Karma

reed_kelly
Contributor

I have some thoughts, but this question deserves its own top-level question so that others can offer their own insight. Also, people looking for answers to questions like yours will find a more targeted answer. Don't be afraid to open a whole new question 🙂

0 Karma

twh1
Communicator
0 Karma

skender27
Contributor

Hi,

Thanks for this answer.
And how to control if some date and time is after or before a certain date and time (let's say in epoch time)?

Skender

0 Karma

rbw78
Communicator

I tried with the following lines in my search and it works now.

eval epochevent=strptime(N_patch, "%Y/%m/%d") | eval epoch30daysago=relative_time(now(), "-30d@d" ) | where epoch30daysago>=epochevent

Thanks for your help !

0 Karma

Ayn
Legend

Do you mean that the date field is different from the event's timestamp? So you want to compare the timestamp to some date in the event?

0 Karma

in22915110
Engager

Hi,

I want to compare the event time to less than Tuesday 2PM of every week, Could you please let me know if this is possible??

Thanks,
Anilkumar

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...