Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the days between earliest date and now

Mike6960
Path Finder
‎10-24-2017 07:38 AM

I have the following search:

..index bla bla...
| eval eD_A=strptime(D_A, "%Y-%m-%d %H:%M:%S.%N") , eD_AV=strptime(D_AV, "%Y-%m-%d %H:%M:%S.%N")
| eval days=floor((eD_A- e D_AV)/86400)

| stats count as daycount by days

| eval days = if(days<=7,"Binnen KPI","Buiten KPI")

| stats sum(daycount) as daycount by days

The problem I have is that some events don't have the D_A field because the process is not ready yet. I still would like to try calculate the days between the D_AV and now in the case when D_A has no date yet. Another question I have is how i can calculate with the earliest D_AV field because this is also a date that can differ.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 07:54 AM

Hi Mike 6960,
replace eD_A=strptime(D_A, "%Y-%m-%d %H:%M:%S.%N") with

eD_A=coalesce(strptime(D_A, "%Y-%m-%d %H:%M:%S.%N"),now())

For the second question, what do you mean with "D_AV field because this is also a date that can differ."?

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 07:54 AM

Hi Mike 6960,
replace eD_A=strptime(D_A, "%Y-%m-%d %H:%M:%S.%N") with

eD_A=coalesce(strptime(D_A, "%Y-%m-%d %H:%M:%S.%N"),now())

For the second question, what do you mean with "D_AV field because this is also a date that can differ."?

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎10-24-2017 08:01 AM

For the same id an event can have a different D_AV date. For example:

ID D_AV STATUS

1 2017-10-10 A
2 2017-09-11 A
1 2017-10-23 A

For the calculation (| eval days=floor((eD_A- e D_AV)/86400)) I want to use the earliest D_AV . I tried this withe earliest but it doesn't seem to work

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 08:41 AM

Hi Mike 6960,
do you have more events with the same ID that have different D_AV ?

If this is your situation you must add an additional stats command before the first eval

| stats values(eD_A) AS eD_A earliest(eD_AV) AS eD_AV BY ID

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎10-24-2017 10:54 PM

sadly, this does not work, somehow bij 'events' it gives result but in 'statistics'and 'visualization' it gives 'No results found'

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-25-2017 12:41 AM

Sorry I was in train and I written an error, try with: 

..index bla bla...
| stats values(D_A) AS D_A earliest(D_AV) AS D_AV BY ID
| eval 
   eD_A=coalesce(strptime(D_A, "%Y-%m-%d %H:%M:%S.%N"),now()), 
   eD_AV=strptime(D_AV, "%Y-%m-%d %H:%M:%S.%N") 
| eval days=floor((eD_A- e D_AV)/86400) 
| stats count as daycount by days 
| eval days = if(days<=7,"Binnen KPI","Buiten KPI") 
| stats sum(daycount) as daycount by days

If you have more D_As for each ID use earliest instead values in the first stats command

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎10-25-2017 12:35 AM

with some tweaking it now works, thanks!!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...