Solved: How to check in date in field is within range

kxmorrr · ‎08-13-2021

Hi, I am trying to check if date that is stored within a field in table is within the last 24h from the moment the search is ran.
I do NOT mean that for the search itself, it is set to 30 days in my case and I cant change it, I want to check the value within only a specific field.

For example I receive the following date:
2021-05-13T12:02:44.000+0000
And I need to know if its a date from the last 24h or not.

So far I am out of luck, any ideas?

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

How to check in date in field is within range

eval

regex

stats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?