Splunk Search

Compare two date

stevesomone
Engager

Hello,

I'd like to compare two date with this format 2011-11-30 22:21:05 for example.
If I search the following, this didn't work.
index="toto" solvedate>due_date

but if I search with this it work:
index="toto" solvedate>2011-12-15 17:21:05

What must I do for this to work ?
The date are correctly stored in the field.

Thanks in advance,

Steve

Tags (2)
1 Solution

joshd
Builder

You can convert the fields to epoch values and compare that way for best results... look to use the strptime() function... ie:

eval compare=strptime(solvedate,"%Y-%m-%d %H:%M:%S") | where compare>strptime(due_date,"%Y-%m-%d %H:%M:%S")

View solution in original post

siraj198204
Explorer

Hi ,
source="dbmon-tail://idwarehouse/idw_account" application=TFAYD [|inputlookup execSSO.csv |rename sso as owner] |eval exp_date=strftime(relative_time(strptime(lastPasswordChange,"%Y-%m-%d %H:%M:%S"),"+90d"), "%Y-%m-%d %H:%M") |eval compare=strptime(exp_date,"%Y-%m-%d %H:%M:%S") | where compare>now()

output,

exp_date =2014-11-04 11:06

I am not getting the compare>now() output .

exp_date-currentdate(now()) = number of days output .... ????? i am not getting the output ..

Thank u ...

Regards,
Siraj

0 Karma

joshd
Builder

Command reference can be found here:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

Functions for eval and where are here:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Remember to vote the answer as correct, dont want to leave things lingering as unanswered 🙂

0 Karma

stevesomone
Engager

Thank you for your response.

This work great.

Can we find all the function in the wiki ? Or somewhere else ?

Thanks.

Steve

0 Karma

joshd
Builder

You can convert the fields to epoch values and compare that way for best results... look to use the strptime() function... ie:

eval compare=strptime(solvedate,"%Y-%m-%d %H:%M:%S") | where compare>strptime(due_date,"%Y-%m-%d %H:%M:%S")
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...