Solved: Re: Date comparison with if statements

mcamilleri · ‎08-29-2013

I need to use an if statement to set the dates in startDateFrom and startDateTo if not specified in the selectedStartDateFrom and selectedStartDateTo variables.

I then want to use startDateFrom and startDateTo to filter for entries with Experiment_Instance_Start_Date between startDateFrom and startDateTo.

The date comparison works fine, it's only when I add the if statements that it stops working. Any ideas what I'm doing wrong here?

| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")
| eval startDateFrom=if("$selectedStartDateFrom$"="", "01/01/1970", "$selectedStartDateFrom$")
| eval startDateTo=if("$selectedStartDateTo$"="", "01/01/2100", "$selectedStartDateTo$")

mcamilleri · ‎08-30-2013

As aholzer said in the comments above, "$selectedStartDateFrom$"="" is wrong, so I changed that to len("$selectedStartDateFrom$")>0. I also needed to move the if statements to before the date comparison for the startDateFrom and startDateTo to be available. Also start date of 01/01/1970 returns no results, so I changed it to a later date.

| eval startDateFrom=if(len("$selectedStartDateFrom$")>0, "$selectedStartDateFrom$", "01/01/2000")
| eval startDateTo=if(len("$selectedStartDateTo$")>0, "$selectedStartDateTo$", "01/01/2099")
| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")

View solution in original post

mcamilleri · ‎08-30-2013

As aholzer said in the comments above, "$selectedStartDateFrom$"="" is wrong, so I changed that to len("$selectedStartDateFrom$")>0. I also needed to move the if statements to before the date comparison for the startDateFrom and startDateTo to be available. Also start date of 01/01/1970 returns no results, so I changed it to a later date.

| eval startDateFrom=if(len("$selectedStartDateFrom$")>0, "$selectedStartDateFrom$", "01/01/2000")
| eval startDateTo=if(len("$selectedStartDateTo$")>0, "$selectedStartDateTo$", "01/01/2099")
| eval compare=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y") 
| where compare>=strptime(startDateFrom,"%m/%d/%Y")
| eval compare=strptime(startDateTo,"%m/%d/%Y")
| where compare>=strptime(Experiment_Instance_Start_Date,"%m/%d/%Y")

mcamilleri · ‎08-30-2013

great, that helped a lot. I'm using len now and I also had to move the if statements before the date comparison for the startDateFrom and startDateTo to be available

aholzer · ‎08-29-2013

Looks like you are doing a string comparison rather than a date comparison. The double quotes around your $selectedStartDateFrom$ convert it to a string.

In string comparisons you need a == comparison rather than an = comparison: "$selectedStartDateFrom$"==""

If this doesn't work, you could also do something like: len("$selectedStartDateFrom$")>0

hope this helps

mcamilleri · ‎08-29-2013

They're tokens provided from a form

sowings · ‎08-29-2013

Are selectedStartDateFrom and selectedStartDateTo fields from your data, or tokens, as provided from a form? The syntax of your if will vary depending upon the answer.

Date comparison with if statements

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?