Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare close date with start date?

vishalduttauk
Communicator
‎09-30-2022 03:02 AM

Hi there,

I am new to this kind of analysis within Splunk but i've been asked to create a filter on events where the closed date is before the start date.

This is the search I have created but can't get it working:

index=main sourcetype="CRA_Consumer_Txt_data" | eval close_date=strftime(strptime(close_date,"%d%m%Y"),"%d/%m/%Y") | eval start_date=strftime(strptime(start_date,"%d%m%Y"),"%d/%m/%Y") | search close_date < start_date | table start_date, close_date

 

This is an example of what even is shown when i run that search

 

start_date        close_date

30/04/2021        23/05/2021

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:12 AM

Hi

You are quite close. When you are comparing dates it should always convert to epoch and then do the comparison.

index=main sourcetype="CRA_Consumer_Txt_data" 
| eval close_date_epoch = strptime(close_date,"%d%m%Y") 
| eval start_date_epoch = strptime(start_date,"%d%m%Y")
| where close_date_epoch < start_date_epoch
| eval close_date = strftime(close_date_epoch, "%d/%m/%Y"),
       start_date = strftime(start_date_epoch, "%d/%m/%Y")
| table start_date, close_date

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2022 03:12 AM

Hi

You are quite close. When you are comparing dates it should always convert to epoch and then do the comparison.

index=main sourcetype="CRA_Consumer_Txt_data" 
| eval close_date_epoch = strptime(close_date,"%d%m%Y") 
| eval start_date_epoch = strptime(start_date,"%d%m%Y")
| where close_date_epoch < start_date_epoch
| eval close_date = strftime(close_date_epoch, "%d/%m/%Y"),
       start_date = strftime(start_date_epoch, "%d/%m/%Y")
| table start_date, close_date
Reply
Solved! Jump to solution

vishalduttauk
Communicator
‎09-30-2022 03:19 AM

Thanks @isoutamo that has worked a treat and I now know to use epoch for this type of comparison! 😀

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...