Hi, i searched but i don't found any solution. I wont the difference between two fields that are date in string format. My field are:
I don't understand how to convert my string date in values day.
run this search anywhere and apply the logic to address your challenge.
here i used
strptime and leverage the epoch numeric value to calculate gap
| makeresults count=1 | eval start_date = "01/01/2017" | eval end_date="01/07/2017" | rename COMMENT as "above creates fake data, below is your solution" | eval start_epoch = strptime(start_date, "%d/%m/%Y") | eval end_epoch = strptime(end_date, "%d/%m/%Y") | eval gap_in_seconds = end_epoch - start_epoch | eval gap_in_days = round(gap_in_seconds / 86400)
hope it helps
The difference between these two dates is
181. And if you want to add last day also in your count then add
1 in your search. Is that any specific calculation for getting
| makeresults | eval start_date="01/01/2017",end_date="01/07/2017" | eval dates=mvcount(mvrange(strptime(start_date,"%d/%m/%Y"),strptime(end_date,"%d/%m/%Y"),86400))
| eval dates=dates+1
Hi, don't work. Specifically, when i use the function strptime(StardDate) or strptime(EndDate) i lost all data in these fields. Splunk don't convert my string in strptime, so, When i try to do difference between startdate and enddate i don't have any output.
I've one file CSV. In this file i have some fields, two of this are date. Splunk read this date like a strings. Now, i have need to calcolate the difference between this two dates, row-by-row. My final output must be a new column with all difference of this dates in days. i wrote 183 days, but was an example. I want all difference, for any row and any dates, in day, only this.
I try to write this:
| eval startepoch = strptime(StardDate, "%d/%m/%Y")
| eval endepoch = strptime(EndDate, "%d/%m/%Y")
| eval gapinseconds = endepoch - startepoch
| eval gapindays = round(gapinseconds / 86400)
and my output is null. Splunk don't convert my string date in strptime, if i try to write only " eval start_epoch = strptime(StardDate, "%d/%m/%Y")" i don't see anythings, i don't have output.
I have tried with below CSV content. It's working. Is that any space OR double quotes in your CSV content?
StardDate,EndDate 01/01/2017,01/07/2017 01/01/2017,01/08/2017 01/01/2017,01/09/2017 01/01/2017,01/10/2017
Can i see how work on your splunk? It make the difference between these dates? (in day). Because my CVS is not controllable from me, i can't modify it. I can try to upload a my file with some dates and do test for it.
I've data protect from non disclosure agreement. Now i try with a my CSV test and i see if run. If i continue to have problem i ask here, thank you.