Solved: Evaluate difference between 2 (string) dates in th...

bjbrookz · ‎07-16-2024

Hello, I'm struggling mightily with this one. I have two dates in the same event, both are strings. Their format is below. I would like to evaluate the number of days between the firstSeen and lastSeen dates. I would also like to evaluate the number of days since firstSeen and when the search is performed. Any help would be much appreciated...

firstSeen: Aug 27, 2022 20:18:37 UTC

lastSeen: Jun 23, 2024 06:17:25 UTC

Tom_Lundie · ‎07-16-2024

Hi,

You can do that with an eval command.

| eval firstSeenTS = strptime(firstSeen, "%b %d, %Y %H:%M:%S %Z"),
lastSeenTS = strptime(lastSeen, "%b %d, %Y %H:%M:%S %Z"),
firstLastDiff = (lastSeenTS - firstSeenTS)/86400,
firstNowDiff = (now() - firstSeenTS)/86400

If you want to round your days down to whole numbers you can use floor()

View solution in original post

Tom_Lundie · ‎07-16-2024

Hi,

You can do that with an eval command.

| eval firstSeenTS = strptime(firstSeen, "%b %d, %Y %H:%M:%S %Z"),
lastSeenTS = strptime(lastSeen, "%b %d, %Y %H:%M:%S %Z"),
firstLastDiff = (lastSeenTS - firstSeenTS)/86400,
firstNowDiff = (now() - firstSeenTS)/86400

If you want to round your days down to whole numbers you can use floor()

bjbrookz · ‎07-16-2024

Outstanding. That worked perfectly. Thank you.

Evaluate difference between 2 (string) dates in the same event.

eval

fields

subsearch

Splunk MCP & Agentic AI: Machine Data Without Limits

Application management with Targeted Application Install for Victoria Experience

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Join the Conversation