Can you please share some more information about your events and fields (StardDate, EndDate & others)?

I've one file CSV. In this file i have some fields, two of this are date. Splunk read this date like a strings. Now, i have need to calcolate the difference between this two dates, row-by-row. My final output must be a new column with all difference of this dates in days. i wrote 183 days, but was an example. I want all difference, for any row and any dates, in day, only this.

I try to write this:
...
| eval start_epoch = strptime(StardDate, "%d/%m/%Y")
| eval end_epoch = strptime(EndDate, "%d/%m/%Y")
| eval gap_in_seconds = end_epoch - start_epoch
| eval gap_in_days = round(gap_in_seconds / 86400)
and my output is null. Splunk don't convert my string date in strptime, if i try to write only " eval start_epoch = strptime(StardDate, "%d/%m/%Y")" i don't see anythings, i don't have output.

@perryd

I have tried with below CSV content. It's working. Is that any space OR double quotes in your CSV content?

StardDate,EndDate
01/01/2017,01/07/2017
01/01/2017,01/08/2017
01/01/2017,01/09/2017
01/01/2017,01/10/2017

Can i see how work on your splunk? It make the difference between these dates? (in day). Because my CVS is not controllable from me, i can't modify it. I can try to upload a my file with some dates and do test for it.

You can share your CSV data here OR data from search, using | inputlookup. So we can look at that.

I've data protect from non disclosure agreement. Now i try with a my CSV test and i see if run. If i continue to have problem i ask here, thank you.

HI Perry are your dates in 01/01/2017 format or 01-01-2017 format coz that will change the time format we are giving in order to convert the epoch strings.

SO the strptime
eval start_epoch = strptime(StardDate, "%d/%m/%Y")
will become
eval start_epoch = strptime(StardDate, "%d-%m-%Y")

I was making the same mistake

Glad to help you.

Happy Splunking