Splunk Search

How to extract dates from event results and compare them?

ayoko001
New Member

Hi, I've been doing lots of study on this, and now I am stuck.. hoping to get some insight here. I'm an absolute noob on Splunk.

So when I type REGAVAIL on Splunk. it will show results like this:

10/5/16 
1:48:41.067 PM  
2016-10-05 13:48:41,067 INFO  [com.shc.regional] (http-10.236.100.23-9680-52) 04651799000|55330|1|REGAVAIL|10072016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.792 PM  
2016-10-05 13:48:40,792 INFO  [com.shc.regional] (http-10.236.100.23-9680-5) 02227653000|92040|1|REGAVAIL|10132016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:40.295 PM  
2016-10-05 13:48:40,295 INFO  [com.shc.regional] (http-10.236.100.23-9680-40) 02294142000|02149|1|REGAVAIL|10082016|STC
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode
10/5/16 
1:48:39.943 PM  
2016-10-05 13:48:39,943 INFO  [com.shc.regional] (http-10.236.100.23-9680-46) 07120390000|46268|1|REGAVAIL|10112016|0|SCII
host = wsapp401p.prod.ch4.s.com source = /appl/scim/jboss/server/scim1/log/SCIMResponseCodes.log sourcetype = custom-prod-scim-respcode

I want to be able to compare the dates "2016-10-05" and dates "10112016" <- (always come after REGAVAIL).

Now, what I have so far is this:

REGAVAIL | regex _raw="^(?P[^ ]+)(?:[^\|\n]*\|){4}(?P\d+)" | eval time_a=strftime(date1, "%m%d%Y") | eval time_b=strftime(date2, "%Y-%m-%d") | where time_b!= time_a

Splunk did not complain about syntax, but no results were found. Does anybody see any problem in my query??

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You have the right idea, but in the wrong direction. Use strptime to convert time strings into epoch format before comparing them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...