Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparing Dates in Results- How do I get a laterdate?

jedimuffin
Observer
‎10-10-2022 01:39 PM

Hello, I have the search built that generates the results I want. But, the goal is to also be able to track high number of online orders after someone made a retail order.

index=data sector=Retail
| stats earliest(_time) as firstretailapp latest(_time) as lastretailapp by username
| join username
               [| search index=data sector=Online
                 | stats earliest(_time) as firstonlinesale latest(_time) as lastonlinesale by username]
| convert ctime(firstretailsale) ctime(lastretailsale) ctime(firstonlinesale) ctime(lastonlinesale)



When these results populate, I can not get the firstonlinesale to be a later date than the lastretailsale. I have tried | eval difference =time1-time2, and where difference >1 and other command searches to try and match up something but am unsuccessful. 

Thanks!

Labels (2)
Labels
0 Karma
Reply

jedimuffin
Observer
‎10-13-2022 07:49 AM 
| stats earliest(*_*) as *_* by username

this  drops it to one column of just a list of just usernames 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-13-2022 08:54 PM

I think trying to use double wildcard (earliest(*_*) as *_*) was a mistake.

index=data sector IN (Retail, Online)
| stats earliest(_time) as first_order latest(_time) as last_order by username sector
| eval first_retail = if(sector == "Retail", first_order, null())
| eval first_online = if(sector == "Online", first_order, null())
| eval last_retail = if(sector == "Retail", last_order, null())
| eval last_online = if(sector == "Online", last_order, null())
| stats earliest(first_retail) as first_retail earliest(first_online) as first_online  latest(last_retail) as last_retail latest(last_online) as last_online by username
| where first_online > last_retail
| convert ctime(first_retail) ctime(last_retail) ctime(first_online) ctime(last_online)

To clarify: the foreach subsearch is an iteration over first_order, last_order in order to populate first_retail, first_online, last_retail, and last_online as expanded in the above.  But the double wildcard probably wouldn't work. 

0 Karma
Reply

jedimuffin
Observer
‎10-14-2022 09:56 AM

thank you! this works except for the conditional comparison of the where clause. but, I can just export the results and go from there. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-10-2022 03:51 PM

Avoid expensive join.  Try

index=data sector IN (Retail, Online)
| stats earliest(_time) as first_order latest(_time) as last_order by username sector
| foreach *_order
    [eval <<MATCHSTR>>_retail = if(sector == "Retail", <<FIELD>>, null())
    | eval <<MATCHSTR>>_online = if(sector == "Online", <<FIELD>>, null())]
| stats earliest(*_*) as *_* by username
| where first_online > last_retail
| convert ctime(first_retail) ctime(last_retail) ctime(first_online) ctime(last_online)

Hope this helps

0 Karma
Reply

jedimuffin
Observer
‎10-13-2022 07:35 AM

thank you. But I get 0 results and I dont understand what the search is doing. Also, in the where clause, that is the first time first_online and last_retail are mentioned? I will keep working on it

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...