How to calculate number of days between the beginn...

ASISH_9 · ‎01-09-2017

Let's say the date is 20th of feb, 2017. I need to calculate the number of days starting from 1st feb, 2017 till 20th feb, 2017 ie 20 days. How can I calculate this?

somesoni2 · ‎11-04-2021

Assuming you've a field "date" with format "%Y-%m-%d", you can do something like this (run anywhere sample, replace first two lines with your base search)

| makeresults | eval date="2017-02-20" | table date | eval startOfMonth=relative_time(strptime(date,"%Y-%m-%d"),"@mon") | eval noOfDays=round((strptime(date,"%Y-%m-%d")-startOfMonth)/86400+1)

sjbriggs · ‎11-04-2021

I have a report that runs every day and is doing calculations based on the number of days that have occurred so far. After pulling my hair out and using a variety of techniques posted in these forums, I ended up with:

| eventstats dc(date_mday) AS daysInMonth

Unless i'm mistaken, the date_* fields are automatically generated in splunk (at least all the data i've seen has them) and this was the easiest and most reliable method I found.

cmerriman · ‎01-10-2017

are the dates you are calculating between values in fields? Are they the range from the time picker?

If they are values in fields, it'd be as simple as |eval daysBetween=round((time2-time1)/86400,0) given that the time fields are in epoch, if not, you'll need to do some more evaling with either strftime

If the values are from the time picker, use

|gentimes start=-1 | addinfo | dedup info_min_time info_max_time 
          | eval daysBetween=round((info_max_time-info_min_time)/86400,2)

How to calculate number of days between the beginning of the month to a date within the same month?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?