Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting rid of hours when comparing two dates

andilee
Explorer
‎05-06-2014 12:17 AM

Hi there! I have a query which compares two dates and returns a result showing which date is furthest is the future.

  • One of the date fields shows the date as dd/mm/yyyy.
  • The second date field shows the date as dd/mm/yyyy HH:mm:ss.

Because of this, the second date field is consistently showing as higher than the first, even when it actually isn't.

Has anyone got any ideas about how I could get rid of the HH:mm:ss from the second date field? I'm assuming if I get rid of that the eval will work correctly!

Thanks in anticipation!
Andrea

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎05-06-2014 12:40 AM

Hello Andrea,
If you are directly comparing the dates it might be in string format. Best way will be to convert it to epoch time format and then make a comparison. Please try this sample search

sourcetype=x|eval Date1=strptime(field1,"%d/%m/%Y")|eval Date2=strptime(field1,"%d/%m/%Y %H:%M:%S")|eval Greater=if(Date1>Date2,"Yes","No")|table Date1,Date2,Greater

Thanks

View solution in original post

Reply
Solved! Jump to solution

andilee
Explorer
‎05-06-2014 04:50 PM

Hooray!! One date still has hours, the other doesn't - but the result is correct, and that is what matters 🙂

Thank you so much for your help!!

0 Karma
Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎05-06-2014 12:40 AM

Hello Andrea,
If you are directly comparing the dates it might be in string format. Best way will be to convert it to epoch time format and then make a comparison. Please try this sample search

sourcetype=x|eval Date1=strptime(field1,"%d/%m/%Y")|eval Date2=strptime(field1,"%d/%m/%Y %H:%M:%S")|eval Greater=if(Date1>Date2,"Yes","No")|table Date1,Date2,Greater

Thanks

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...