Solved: How to check in date in field is within range

kxmorrr · ‎08-13-2021

Hi, I am trying to check if date that is stored within a field in table is within the last 24h from the moment the search is ran.
I do NOT mean that for the search itself, it is set to 30 days in my case and I cant change it, I want to check the value within only a specific field.

For example I receive the following date:
2021-05-13T12:02:44.000+0000
And I need to know if its a date from the last 24h or not.

So far I am out of luck, any ideas?

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

How to check in date in field is within range

eval

regex

stats

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?