Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Date field comparison

alexandrebas
Explorer
‎01-21-2022 06:05 AM

I need help regarding comparise a ISO 8601 date field with a specific date.

Below is a simple example:

index=devices | table device_last_seen

Results:

device_last_seen
2022-01-21T13:09:58Z
2022-01-21T13:10:06Z
2022-01-17T14:56:00Z
2022-01-16T10:57:18Z

 

My goal is to show only the devices reported in the last 24h. It should be like this:

device_last_seen
2022-01-21T13:09:58Z
2022-01-21T13:10:06Z

 

However the search below didn´t return any results.

index=devices
| eval last24h=relative_time(now(), "-1d")
| where device_last_seen > last24h
| table device_last_seen

Thank in advance for your help.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2022 08:24 AM

Dates can only be compared in integer form.  Use the strptime function to convert them to integers and then compare them.

index=devices
| eval last24h=relative_time(now(), "-1d")
| eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| where dls > last24h
| table device_last_seen

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2022 08:24 AM

Dates can only be compared in integer form.  Use the strptime function to convert them to integers and then compare them.

index=devices
| eval last24h=relative_time(now(), "-1d")
| eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| where dls > last24h
| table device_last_seen

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...