Splunk Search

Eval if date stamp is a certain month?

rkassabov
Path Finder

I need to eval if a date+time stamp (for example: 2018-02-22 21:54:00.380000) falls in a certain month (i.e. jan, feb, etc).

If so, I need to write data to a column of my creation, how would I accomplish this?

Tags (3)
0 Karma

hos_2
Path Finder

Hey Rkassabov,

Try something like this:

Your search | eval currentmonth=relative_time(now(), "@mon") | eval previousmonth=relative_time(now(),"-1mon@mon") | 

In your case you can use whatever field generates 2018-02-22 21:54:00.380000 and have eval convert it to a month and then use more evals to do the math.

https://answers.splunk.com/answers/290050/how-to-extract-month-from-a-date-field-and-sort-by.html

Or you can try converting the date field into Epoch Time, which I found much easier to work with.

For example, I wanted to see only tickets from the previous month in my ticketing system (however my resolved_at field was hard to work with so I converted it to epoch time):

| eval Rtime=strptime(resolved_at, "%Y-%m-%d %H:%M:%S") | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") |  where Rtime <= end AND Rtime >= start AND _time <= end AND _time >= start |
0 Karma

rkassabov
Path Finder

I still don't understand. In the first example, how would I only perform an operation if the month in the datestamp is march?

I get that I have to convert the datestamp to make it easier to work with, but how do I check if that new epoch time is the first, second, third etc month of the year, then perform an operation?

0 Karma

hos_2
Path Finder

Hey, so the below eval will run against the current time, then extract the current month and label it as currentmonth:

| eval currentmonth=relative_time(now(), "@mon") 

For example "currentmonth" returns this value today: 1522562400.000000

Put that into a website like this : https://www.epochconverter.com/

Then you have a epoch time that Splunk created for the begining of the month: GMT: Sunday, April 1, 2018 6:00:00 AM

Then the @mon part of the search, extracts specifically the month from the currently time.

You could easily tweak this to do the same to which ever field is generating your date and time.

    | eval new_date=strftime(strptime(<yourfield>, "%Y-%m-%d %H:%M:%S"),"%m")
## This will convert your field into epoch time. Then you could use something like below to tell your search which month you are looking for.
| eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") 
|  where new_date <= end AND new_date >= start AND _time <= end AND _time >= start |
0 Karma

rkassabov
Path Finder

It looks like you are comparing the datestamp to the current time and looking to see if it was in the previous month.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you looking for writing a case expression to set value based on month of the timestamp (assuming _time is the field)? If yes, you can do like this

your base search
|eval month=strftime(new_date_epoch,"%b")
| eval ColOfYourCreation=case(month="jan","Specific to Jan value", month="feb","Specific to Feb value",....., true(),"Some Default value")
0 Karma

rkassabov
Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The |eval month=strftime(new_date_epoch,"%b") portion is where you'd specify our date+timestamp field. If you date+timestamp is a single field with value already in epoch format, just specify the field name there. If it's in string format, then you'd need to convert it to epoch within that expression, like |eval month=strftime(strptime(YourTimestampFieldHere,"TimestampFormatWillComeHere"),"%b"). The eval-case expression is where you match month and assign specific value.

0 Karma

deepashri_123
Motivator

Hey@rkassabov,

You can try using the default splunk field "date_month"
So your query should be like:
index=.. | stats ... by date_month

Let me know if this helps!!

0 Karma

rkassabov
Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma

splunker12er
Motivator

Try this, I took _time and convert to epoch time from there I can able to eval my month

Yoursearch| eval new_date_epoch=_time|eval month=strftime(new_date_epoch,"%b")|table _time,new_date_epoch,month,_raw
0 Karma

rkassabov
Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...