Splunk Search

How to calculate the difference between a specific date and the last 60 days?

balleste
Engager

Hello,

I have the following output:

"ACME Enterprises","227671","bugs.bunny@acme.com","","","2016-10-01","14:18:11","Entertainment","Test"

I wanted to calculate today's date minus the date in the output (2016-06-30) and table like so:

ACME Enterprises, 2016-06-30, 6

Any help would be great.

Tags (1)
0 Karma

woodcock
Esteemed Legend

You need to use epoch times and the relative_time command with -60d:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

0 Karma

cmerriman
Super Champion
...|convert mktime(_time) as time|eval days=round((now()-time)/86400,0)

possibly something like this. mktime converts human readable to epoch, then using that to subtract from the current timestamp and dividing by the seconds in a day, that should give you total days.

richgalloway
SplunkTrust
SplunkTrust

There is no built-in function to subtract dates. You must first convert both dates into epoch form, do the calculation, then convert the result into readable form.

... | eval eDate = strptime(<your date field>,"%Y/%m/%d") | eval days = (now() - eDate)/86400 | table foo, <your date field>, days
---
If this reply helps you, Karma would be appreciated.

vr2312
Builder

index=xyz| eval OldTime = relative_time(now(),"-60d") | table OldTime timestamp | eval OldTime=strftime(OldTime,"%Y-%m-%d %H:%M:%S")

This should work @balleste

0 Karma

gfreitas
Builder

Not very sure if I understood your question. You want to take 07/Oct - 01/Oct and receive 30/Jun??

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...