Solved: How to check in date in field is within range

kxmorrr · ‎08-13-2021

Hi, I am trying to check if date that is stored within a field in table is within the last 24h from the moment the search is ran.
I do NOT mean that for the search itself, it is set to 30 days in my case and I cant change it, I want to check the value within only a specific field.

For example I receive the following date:
2021-05-13T12:02:44.000+0000
And I need to know if its a date from the last 24h or not.

So far I am out of luck, any ideas?

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

How to check in date in field is within range

eval

regex

stats

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation