Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to find the number or days between a fixed date and Today date

Raghav2384
Motivator
‎07-08-2014 11:00 AM

Hello Experts,

Here's our requirement: We are performing an auto repair process based on the Splunk output. The goal is not to perform the automation tool twice. Here's the logic i tried...there's a field called last_communicated_time so i want to find no. of days like last_communicated_time - 6/1/2014 in days and assign it to a constant....so if the number increases, we are going to ignore assuming that the remediation tool tried but couldn't fix it.

Example: host X needs to be repaired only once.....we apply the remediation for the first time...if it shows up in the list again,i want to avoid it.

Thanks,
Raghav

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎07-08-2014 11:18 AM

If last_communicated_time is in epoch time 

your search | eval NoOfDays=floor((now()-last_communicated_time)/(3600*24))

If its in string with specific format of date (say "%Y/%b/%d %H:%M:%S")

your search | eval NoOfDays=floor((now()-strptime(last_communicated_time,"%Y/%b/%d %H:%M:%S"))/(3600*24))

Updated Answer

sourcetype="dg_agents"|table agent_state dest_host is_communicating last_communicated_time os version
|eval Scope = if(agent_state="Terminated","In Scope",if(agent_state="Disabled","In Scope","Out of Scope"))
|where Scope = "In Scope"
| eval Days=floor((now()-strptime(last_communicated_time,"%Y-%m-%d %H:%M:%S.%3Q"))/(3600*24))
Reply

somesoni2
Revered Legend
‎07-09-2014 06:31 AM

If you want to use fixed timestamp (string format) instead of now() (epoch format), you would have to convert it to epoch before using.
(your example)
|eval Days=floor((strptime("2014-07-08 23:59:59.000","%Y-%m-%d %H:%M:%S.%3Q")-last_communicated_time)/(3600*24))

0 Karma
Reply

Raghav2384
Motivator
‎07-08-2014 07:59 PM

Also, is there a way to use a fixed timestamp instead of now()? Example:eval Days = floor((2014-07-08 23:59:59.000-last_communicated_time)/(3600*24)) ?My logic is to use one static value and one dynamic value and ignore if the count changes. Thanks in advance!

0 Karma
Reply

Raghav2384
Motivator
‎07-08-2014 05:34 PM

Perfect...This worked!!!!

0 Karma
Reply

somesoni2
Revered Legend
‎07-08-2014 02:02 PM

Try updated answer.

0 Karma
Reply

Raghav2384
Motivator
‎07-08-2014 01:00 PM

Hey somesoni2, Thank you for the quick answer. Here's the last_communicated_time format 2014-07-07 11:22:56.0 . Days column is all blank
Here's the search
sourcetype="dg_agents"|table agent_state dest_host is_communicating last_communicated_time os version|eval Scope = if(agent_state="Terminated","In Scope",if(agent_state="Disabled","In Scope","Out of Scope"))|eval Days = round((now()-last_communicated_time)/(3600*24))|where Scope = "In Scope"

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...