Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference between a specific date and the last 60 days?

balleste
Engager
‎10-07-2016 03:35 AM

Hello,

I have the following output:

"ACME Enterprises","227671","bugs.bunny@acme.com","","","2016-10-01","14:18:11","Entertainment","Test"

I wanted to calculate today's date minus the date in the output (2016-06-30) and table like so:

ACME Enterprises, 2016-06-30, 6

Any help would be great.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-08-2016 01:53 PM

You need to use epoch times and the relative_time command with -60d:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

0 Karma
Reply

cmerriman
Super Champion
‎10-07-2016 07:43 AM 
...|convert mktime(_time) as time|eval days=round((now()-time)/86400,0)

possibly something like this. mktime converts human readable to epoch, then using that to subtract from the current timestamp and dividing by the seconds in a day, that should give you total days.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2016 05:50 AM

There is no built-in function to subtract dates. You must first convert both dates into epoch form, do the calculation, then convert the result into readable form.

... | eval eDate = strptime(<your date field>,"%Y/%m/%d") | eval days = (now() - eDate)/86400 | table foo, <your date field>, days
---
If this reply helps you, Karma would be appreciated.
Reply

vr2312
Contributor
‎10-07-2016 05:36 AM

index=xyz| eval OldTime = relative_time(now(),"-60d") | table OldTime timestamp | eval OldTime=strftime(OldTime,"%Y-%m-%d %H:%M:%S")

This should work @balleste

0 Karma
Reply

gfreitas
Builder
‎10-07-2016 04:43 AM

Not very sure if I understood your question. You want to take 07/Oct - 01/Oct and receive 30/Jun??

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...