Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Compare dates in splunk

sriva6
New Member
‎12-13-2013 01:38 AM

Hi,

I have the below query to compare the date I am extracting from logs with the current date:

(sourcetype="XYZ") OR (sourcetype="ABC") 
| rex "\|Some String\|\w+\|(?<Field1>[AEU]\d{9})\|" 
| rex "(?P<Date>\d+\/\d+\/\d+\|\d+:\d+:\d+.\d+[^\|]+)"  
| eval DatetimeEpoch=strptime(Date,"%Y/%m/%d %H:%M:%S") 
| eval epoch30minsago=relative_time(now(), "-30m@m" )  
| stats first(sourcetype) as last_sourcetype first(Date) by Field1 
| search last_sourcetype="XYZ" 
| where DatetimeEpoch>=epoch30minsago

I want to print out the values of Field1 if the field "Date" is 30 mins behind the current time.

The format of the filed "Date" is below:

2013/12/12|07:01:01.311
2013/12/12|07:20:17.464
2013/12/12|07:23:52.217
2013/12/12|07:24:52.480
2013/12/12|07:25:42.285
2013/12/12|07:25:49.494
2013/12/12|07:26:24.669

Please let me know how can I compare this with the current time/date. My query above is not working probably because the field "Date" is in string format and splunk is not able to convert it to epoch?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-13-2013 10:33 AM

Your strptime() format doesn't match the Date field. Try "%Y/%m/%d %H:%M:%S.%3Q". Also the where clause should read 'where DatetimeEpoch <= epoch30minsago' to select events at least 30 minutes behind the current time.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎12-13-2013 10:30 AM

Also: have you seen the Timewrap app?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎12-13-2013 04:19 AM

Look, is this "Date" field in your events the same timestamp information that Splunk uses for indexing purposes? If so, then that information is already available in the _time field, so you don't have to extract it again with rex.

Check it with;

your search for events | head 3 | table _time, Date

Do the timestamps match?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...