Solved: How to compare a certain date/time in epoch format...

skender27 · ‎09-01-2015

Hi,

I'd like to compare two dates and time (if A<=B):
the one, let's call it A, I have it already in epoch time and the second, let's call it B, is a fixed date and time, which is exactly 31-08-2015 23:59:59.

I tried it like this (converted A in human readable date/time):

| eval compare = strftime(A, "%d-%m-%Y %T")
| where compare<=B*

but it doesn't work...

Any suggestion,

Thanks,
Skender

somesoni2 · ‎09-01-2015

Try something like this

your current search giving field A in epoch | where A<=strptime("31-08-2015 23:59:59","%d-%m-%Y %H:%M:%S")

View solution in original post

somesoni2 · ‎09-01-2015

Try something like this

your current search giving field A in epoch | where A<=strptime("31-08-2015 23:59:59","%d-%m-%Y %H:%M:%S")

skender27 · ‎09-01-2015

Thank you!
I inserted the "| where" inside the macro I used in the report.

It works perfectly now!
Skender K.

aarontimko · ‎09-01-2015

My understanding is strftime will result in a Formatted string whereas strptime will result in a Parsed timestamp, so if you want to compare timestamps, you will want the value to be a timestamp, not a string.

http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/CommonEvalFunctions
(Scroll down to "Date and Time functions")

I think if you try strptime like in this answer, it will work:
https://answers.splunk.com/answers/37272/compare-two-date.html

How to compare a certain date/time in epoch format with a fixed date/time in human readable format?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life