Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare an empty field with epoch time?

jam00
Explorer
‎05-23-2019 08:39 AM

Hello,

I have two fields: dateTimeA and dateTimeB.
When dateTimeA is empty, I add "NULL" string. Then I use strptime(dateTimeB) to get a numeric value based on epoch. How can I use dateTimeA to compare with a numeric value?

| eval dateTimeA=if((dateTimeA == "NULL"),dateTimeA,strptime(dateTimeA,"%Y-%m-%dT%H:%M:%S")) 
| eval dateTimeB=strptime(dateTimeB,"%Y-%m-%dT%H:%M:%S")
| where (dateTimeA < dateTimeB)

Thank you in advance.

0 Karma
Reply

koshyk
Super Champion
‎05-23-2019 08:46 AM

Please try to put 1 instead of NULL (or current time using now() )

 | eval dateTimeA=if((dateTimeA == "NULL"),"1",strptime(dateTimeA,"%Y-%m-%dT%H:%M:%S")) 
 | eval dateTimeB=strptime(dateTimeB,"%Y-%m-%dT%H:%M:%S")
 | where (dateTimeA < dateTimeB)

..

0 Karma
Reply

jam00
Explorer
‎05-23-2019 08:59 AM

dateTimeA field has dates or empties. If I use 1 that means one second, isn't it? So if I compare it with an epoch value near 1 the evaluation would be true... 1 < 1

0 Karma
Reply

jam00
Explorer
‎05-23-2019 09:02 AM

but I have an eval dateTimeA =coalesce(dateTimeA,"NULL") prior.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...