Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a variable that contains a date X days in the past relative to now?

HattrickNZ
Motivator
‎02-25-2016 03:05 PM

I am looking to create a variable that contains a date X days in the past from now.

How do I do this?

This is a fixed date in the past: 

| eval mylimit=strptime("28 may 2013","%d %b %Y") | table mylimit |

This then converts the above to a date format that I want:

| eval mylimit2=strftime(mylimit, "%d/%m/%Y")

However, I want this to be relative to today and stored in a variable that I can use in a search.

possible related Q

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aladda_splunk
Splunk Employee
Splunk Employee
‎02-25-2016 03:35 PM

This might help. Toggle the # of days back in time by changing from -1 to however far back in time you want to go

| eval aaa=relative_time(now(),"-1d") | eval bbb=strftime(aaa,"%d/%m/%Y")

View solution in original post

Reply
Solved! Jump to solution
Solution

aladda_splunk
Splunk Employee
Splunk Employee
‎02-25-2016 03:35 PM

This might help. Toggle the # of days back in time by changing from -1 to however far back in time you want to go

| eval aaa=relative_time(now(),"-1d") | eval bbb=strftime(aaa,"%d/%m/%Y")

Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎02-25-2016 04:34 PM

that works.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-25-2016 03:30 PM

You can use the function relative_time (available with eval and where) to get a relative date from a date field (epoch value). See this run anywhere sample)

| gentimes start=-1 |  eval SameDayLastWeek=relative_time(now(),"-1w") | eval SameDayLastMonth=relative_time(now(),"-1mon") | eval Today=now()| convert ctime(*)
Reply
Solved! Jump to solution

HattrickNZ
Motivator
‎02-25-2016 04:36 PM

tks good to know but will got with aladda answer as it more suits my requirements.tks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...