Solved: How to check in date in field is within range

kxmorrr · ‎08-13-2021

Hi, I am trying to check if date that is stored within a field in table is within the last 24h from the moment the search is ran.
I do NOT mean that for the search itself, it is set to 30 days in my case and I cant change it, I want to check the value within only a specific field.

For example I receive the following date:
2021-05-13T12:02:44.000+0000
And I need to know if its a date from the last 24h or not.

So far I am out of luck, any ideas?

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-13-2021

hi @kxmorrr,

You can try:

 | eval within_last_24hrs=if(strptime(date_field_name, "%Y-%m-%dT%H:%M:%S.%3N%z") >= relative_time(now(), "-24h"), "YES", "NO")

If your date field is _time:

 | eval within_last_24hrs=if(_time >= relative_time(now(), "-24h"), "YES", "NO")

If this reply helps you, a like would be appreciated.

How to check in date in field is within range

eval

regex

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation