Solved: Date field comparison

alexandrebas · ‎01-21-2022

I need help regarding comparise a ISO 8601 date field with a specific date.

Below is a simple example:

index=devices | table device_last_seen

Results:

device_last_seen

2022-01-21T13:09:58Z

2022-01-21T13:10:06Z

2022-01-17T14:56:00Z

2022-01-16T10:57:18Z

My goal is to show only the devices reported in the last 24h. It should be like this:

device_last_seen

2022-01-21T13:09:58Z

2022-01-21T13:10:06Z

However the search below didn´t return any results.

index=devices
| eval last24h=relative_time(now(), "-1d")
| where device_last_seen > last24h
| table device_last_seen

Thank in advance for your help.

richgalloway · ‎01-21-2022

Dates can only be compared in integer form. Use the strptime function to convert them to integers and then compare them.

index=devices
| eval last24h=relative_time(now(), "-1d")
| eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| where dls > last24h
| table device_last_seen

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎01-21-2022

Dates can only be compared in integer form. Use the strptime function to convert them to integers and then compare them.

index=devices
| eval last24h=relative_time(now(), "-1d")
| eval dls = strptime(device_last_seen, "%Y-%m-%dT%H:%M:%S%Z")
| where dls > last24h
| table device_last_seen

---
If this reply helps you, Karma would be appreciated.

Date field comparison

search job inspector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation