Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract dates from event results and compare them?

ayoko001
New Member
‎10-05-2016 12:01 PM

Hi, I've been doing lots of study on this, and now I am stuck.. hoping to get some insight here. I'm an absolute noob on Splunk.

So when I type REGAVAIL on Splunk. it will show results like this: 

10/5/16 
1:48:41.067 PM  
2016-10-05 13:48:41,067 INFO  [com.shc.regional] (http-10.236.100.23-9680-52) 04651799000|55330|1|REGAVAIL|10072016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.792 PM  
2016-10-05 13:48:40,792 INFO  [com.shc.regional] (http-10.236.100.23-9680-5) 02227653000|92040|1|REGAVAIL|10132016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.295 PM  
2016-10-05 13:48:40,295 INFO  [com.shc.regional] (http-10.236.100.23-9680-40) 02294142000|02149|1|REGAVAIL|10082016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:39.943 PM  
2016-10-05 13:48:39,943 INFO  [com.shc.regional] (http-10.236.100.23-9680-46) 07120390000|46268|1|REGAVAIL|10112016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode

I want to be able to compare the dates "2016-10-05" and dates "10112016" <- (always come after REGAVAIL).

Now, what I have so far is this: 

REGAVAIL | regex _raw="^(?P[^ ]+)(?:[^\|\n]*\|){4}(?P\d+)" | eval time_a=strftime(date1, "%m%d%Y") | eval time_b=strftime(date2, "%Y-%m-%d") | where time_b!= time_a

Splunk did not complain about syntax, but no results were found. Does anybody see any problem in my query??

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-05-2016 01:05 PM

You have the right idea, but in the wrong direction. Use strptime to convert time strings into epoch format before comparing them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...