Splunk Search

How to add 1 month to a current date field in a search?

kmcaloon
Explorer

I have a table with an ID in it and a date. I've converted the date to be YYYYMMDD. Based on that date field, I would like to create a whole new column that takes the current date field and adds a month to populate the column/row. I don't want to use relative now() time, I want to take my data point and add a month to it.

So my search is

index=product_index punct="__::_..___::_:_:____'_______,__\\\\____'" | convert ctime(_time) as monitor_start timeformat=%Y-%m-%d| table Employee_ID, monitor_start, monitor_end | outputlookup users.csv

I need to add another pipe that does something such as |eval monitor_end=(monitor_start+1mon)but that doesn't work.

If I can get a new column called monitor_end, I would do a format on that as well. | convert ctime(monitor_end) timeformat=%Y-%m-%d

0 Karma
1 Solution

sundareshr
Legend

Try this

.... | eval monitor_end=relative_time(_time, "+1mon") | eval monitor_start=strftime(_time, "%Y-%m-%d") | eval monitor_end=strftime(monitor_end, "%Y-%m-%d") | ...

View solution in original post

sundareshr
Legend

Try this

.... | eval monitor_end=relative_time(_time, "+1mon") | eval monitor_start=strftime(_time, "%Y-%m-%d") | eval monitor_end=strftime(monitor_end, "%Y-%m-%d") | ...

kmcaloon
Explorer

Thank you!!! This worked perfectly.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...