Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference between a specific date and the last 60 days?

balleste
Engager
‎10-07-2016 03:35 AM

Hello,

I have the following output:

"ACME Enterprises","227671","bugs.bunny@acme.com","","","2016-10-01","14:18:11","Entertainment","Test"

I wanted to calculate today's date minus the date in the output (2016-06-30) and table like so:

ACME Enterprises, 2016-06-30, 6

Any help would be great.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-08-2016 01:53 PM

You need to use epoch times and the relative_time command with -60d:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

0 Karma
Reply

cmerriman
Super Champion
‎10-07-2016 07:43 AM 
...|convert mktime(_time) as time|eval days=round((now()-time)/86400,0)

possibly something like this. mktime converts human readable to epoch, then using that to subtract from the current timestamp and dividing by the seconds in a day, that should give you total days.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2016 05:50 AM

There is no built-in function to subtract dates. You must first convert both dates into epoch form, do the calculation, then convert the result into readable form.

... | eval eDate = strptime(<your date field>,"%Y/%m/%d") | eval days = (now() - eDate)/86400 | table foo, <your date field>, days
---
If this reply helps you, Karma would be appreciated.
Reply

vr2312
Builder
‎10-07-2016 05:36 AM

index=xyz| eval OldTime = relative_time(now(),"-60d") | table OldTime timestamp | eval OldTime=strftime(OldTime,"%Y-%m-%d %H:%M:%S")

This should work @balleste

0 Karma
Reply

gfreitas
Builder
‎10-07-2016 04:43 AM

Not very sure if I understood your question. You want to take 07/Oct - 01/Oct and receive 30/Jun??

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...