Splunk Search

Eval if date stamp is a certain month?

Path Finder

I need to eval if a date+time stamp (for example: 2018-02-22 21:54:00.380000) falls in a certain month (i.e. jan, feb, etc).

If so, I need to write data to a column of my creation, how would I accomplish this?

Tags (3)
0 Karma

Path Finder

Hey Rkassabov,

Try something like this:

Your search | eval currentmonth=relative_time(now(), "@mon") | eval previousmonth=relative_time(now(),"-1mon@mon") | 

In your case you can use whatever field generates 2018-02-22 21:54:00.380000 and have eval convert it to a month and then use more evals to do the math.

https://answers.splunk.com/answers/290050/how-to-extract-month-from-a-date-field-and-sort-by.html

Or you can try converting the date field into Epoch Time, which I found much easier to work with.

For example, I wanted to see only tickets from the previous month in my ticketing system (however my resolved_at field was hard to work with so I converted it to epoch time):

| eval Rtime=strptime(resolved_at, "%Y-%m-%d %H:%M:%S") | eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") |  where Rtime <= end AND Rtime >= start AND _time <= end AND _time >= start |
0 Karma

Path Finder

I still don't understand. In the first example, how would I only perform an operation if the month in the datestamp is march?

I get that I have to convert the datestamp to make it easier to work with, but how do I check if that new epoch time is the first, second, third etc month of the year, then perform an operation?

0 Karma

Path Finder

Hey, so the below eval will run against the current time, then extract the current month and label it as currentmonth:

| eval currentmonth=relative_time(now(), "@mon") 

For example "currentmonth" returns this value today: 1522562400.000000

Put that into a website like this : https://www.epochconverter.com/

Then you have a epoch time that Splunk created for the begining of the month: GMT: Sunday, April 1, 2018 6:00:00 AM

Then the @mon part of the search, extracts specifically the month from the currently time.

You could easily tweak this to do the same to which ever field is generating your date and time.

    | eval new_date=strftime(strptime(<yourfield>, "%Y-%m-%d %H:%M:%S"),"%m")
## This will convert your field into epoch time. Then you could use something like below to tell your search which month you are looking for.
| eval end=relative_time(now(), "@mon") | eval start=relative_time(now(),"-1mon@mon") 
|  where new_date <= end AND new_date >= start AND _time <= end AND _time >= start |
0 Karma

Path Finder

It looks like you are comparing the datestamp to the current time and looking to see if it was in the previous month.

0 Karma

Revered Legend

Are you looking for writing a case expression to set value based on month of the timestamp (assuming _time is the field)? If yes, you can do like this

your base search
|eval month=strftime(new_date_epoch,"%b")
| eval ColOfYourCreation=case(month="jan","Specific to Jan value", month="feb","Specific to Feb value",....., true(),"Some Default value")
0 Karma

Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma

Revered Legend

The |eval month=strftime(new_date_epoch,"%b") portion is where you'd specify our date+timestamp field. If you date+timestamp is a single field with value already in epoch format, just specify the field name there. If it's in string format, then you'd need to convert it to epoch within that expression, like |eval month=strftime(strptime(YourTimestampFieldHere,"TimestampFormatWillComeHere"),"%b"). The eval-case expression is where you match month and assign specific value.

0 Karma

Motivator

Hey@rkassabov,

You can try using the default splunk field "date_month"
So your query should be like:
index=.. | stats ... by date_month

Let me know if this helps!!

0 Karma

Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma

Motivator

Try this, I took _time and convert to epoch time from there I can able to eval my month

Yoursearch| eval new_date_epoch=_time|eval month=strftime(new_date_epoch,"%b")|table _time,new_date_epoch,month,_raw
0 Karma

Path Finder

Where does my current date+time stamp go in this? Also how do I specify what month I am looking for?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!