Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract dates from event results and compare them?

ayoko001
New Member
‎10-05-2016 12:01 PM

Hi, I've been doing lots of study on this, and now I am stuck.. hoping to get some insight here. I'm an absolute noob on Splunk.

So when I type REGAVAIL on Splunk. it will show results like this: 

10/5/16 
1:48:41.067 PM  
2016-10-05 13:48:41,067 INFO  [com.shc.regional] (http-10.236.100.23-9680-52) 04651799000|55330|1|REGAVAIL|10072016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.792 PM  
2016-10-05 13:48:40,792 INFO  [com.shc.regional] (http-10.236.100.23-9680-5) 02227653000|92040|1|REGAVAIL|10132016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.295 PM  
2016-10-05 13:48:40,295 INFO  [com.shc.regional] (http-10.236.100.23-9680-40) 02294142000|02149|1|REGAVAIL|10082016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:39.943 PM  
2016-10-05 13:48:39,943 INFO  [com.shc.regional] (http-10.236.100.23-9680-46) 07120390000|46268|1|REGAVAIL|10112016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode

I want to be able to compare the dates "2016-10-05" and dates "10112016" <- (always come after REGAVAIL).

Now, what I have so far is this: 

REGAVAIL | regex _raw="^(?P[^ ]+)(?:[^\|\n]*\|){4}(?P\d+)" | eval time_a=strftime(date1, "%m%d%Y") | eval time_b=strftime(date2, "%Y-%m-%d") | where time_b!= time_a

Splunk did not complain about syntax, but no results were found. Does anybody see any problem in my query??

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2016 01:05 PM

You have the right idea, but in the wrong direction. Use strptime to convert time strings into epoch format before comparing them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...