Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Comparison between Future date and current date

dsiob
Communicator
‎06-09-2017 03:13 AM

I have a date field 'Start Time' in csv. I have to filter if date in this field is current week date or future week date. For this I fetch '%W' of the date and current date and comparing. But if the date is future date its '%W' is coming as current week only. It is not considering future dates.alt text

Any help will be great!

Preview file
74 KB
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2017 08:05 AM

Give this a try

/* source*/ | eval StartTimeDetail=case(strptime('Start Time',"%m/%d/%Y %H:%M")>=relative_time(now(),"@w+7d"),"Future Week",strptime('Start Time',"%m/%d/%Y %H:%M")>=relative_time(now(),"@w"),"This Week",1=1,"Prior Week")
| table "Start Time" StartTimeDetail

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-09-2017 08:05 AM

Give this a try

/* source*/ | eval StartTimeDetail=case(strptime('Start Time',"%m/%d/%Y %H:%M")>=relative_time(now(),"@w+7d"),"Future Week",strptime('Start Time',"%m/%d/%Y %H:%M")>=relative_time(now(),"@w"),"This Week",1=1,"Prior Week")
| table "Start Time" StartTimeDetail
Reply
Solved! Jump to solution

dsiob
Communicator
‎06-11-2017 11:15 PM

Ohh Superb!! its working

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎06-09-2017 06:50 AM

There seems to be a lot of unneeded churn in your search. Does this work for you?

your base search 
| eval InFuture=if((now()-_time)>86400,"yes","no") 
| table _time InFuture

EDIT: you could change 86400 to 0 to catch anything in the future. Or change to 604800 to catch something 1 week in the future or more.

Reply
Solved! Jump to solution

dsiob
Communicator
‎06-11-2017 11:05 PM

this returns whether the difference is 1 week or not. But I have to show whether _time is in current week or not

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2017 05:50 AM

Why not compare epoch times directly? If _time > now() then the event is in the future.

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...