Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to calculate the difference between a specific date and the last 60 days?

balleste
Engager
‎10-07-2016 03:35 AM

Hello,

I have the following output:

"ACME Enterprises","227671","bugs.bunny@acme.com","","","2016-10-01","14:18:11","Entertainment","Test"

I wanted to calculate today's date minus the date in the output (2016-06-30) and table like so:

ACME Enterprises, 2016-06-30, 6

Any help would be great.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎10-08-2016 01:53 PM

You need to use epoch times and the relative_time command with -60d:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions

0 Karma
Reply

cmerriman
Super Champion
‎10-07-2016 07:43 AM 
...|convert mktime(_time) as time|eval days=round((now()-time)/86400,0)

possibly something like this. mktime converts human readable to epoch, then using that to subtract from the current timestamp and dividing by the seconds in a day, that should give you total days.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2016 05:50 AM

There is no built-in function to subtract dates. You must first convert both dates into epoch form, do the calculation, then convert the result into readable form.

... | eval eDate = strptime(<your date field>,"%Y/%m/%d") | eval days = (now() - eDate)/86400 | table foo, <your date field>, days
---
If this reply helps you, Karma would be appreciated.
Reply

vr2312
Builder
‎10-07-2016 05:36 AM

index=xyz| eval OldTime = relative_time(now(),"-60d") | table OldTime timestamp | eval OldTime=strftime(OldTime,"%Y-%m-%d %H:%M:%S")

This should work @balleste

0 Karma
Reply

gfreitas
Builder
‎10-07-2016 04:43 AM

Not very sure if I understood your question. You want to take 07/Oct - 01/Oct and receive 30/Jun??

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...