Splunk Search

How to subtract one date from another date?

OmarDee
Explorer

Hi All,

How can I subtract one date from another?
Please help. thanks!

Tags (3)
1 Solution

OmarDee
Explorer

Hi All!

I've found the answer. kindly see the codes below.

|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400

View solution in original post

akuma142
Engager

Hi

Need to substract
12-Jun-2018 03:17:20 ---- 12-Jun-2018 03:17:39

0 Karma

OmarDee
Explorer

Hi All!

I've found the answer. kindly see the codes below.

|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400

Damien_Dallimor
Ultra Champion

Subtracts 1 day from the event time (_time) and puts the result into another field (time_one_day_before)

... | eval time_one_day_before=strftime(relative_time(_time, "-1d"),"%Y-%m-%d %H:%M:%S") | ...

OmarDee
Explorer

thanks, but this is not what exactly I mean.
ex:
Date_One=07/07/2014
Date_Two=07/05/2014

Date_One and Date_Two are the field names.

how do I subtract a days? please help! thanks!

Ayn
Legend

If your date is in epoch format:

... | eval subtracted_date=your_date-86400

If your date isn't in epoch format (you're not telling us if it is), you need to convert it to epoch first using eval's strftime function.

Ayn
Legend

Well are you getting the "it" and "ot" fields OK?

0 Karma

OmarDee
Explorer

it has no result from the field name "diff". because my formula is wrong or something missing my codes? please help. thank you.

0 Karma

Ayn
Legend

That looks OK, where are you getting stuck?

0 Karma

OmarDee
Explorer

hi, this is my formula.

| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (ot - it)
|table diff

ex:
Date_One=07/07/2014
Date_Two=07/05/2014

Can you help me how to subtract a day? Thanks!

0 Karma

astackpole
Path Finder

I know this is super old but I ran into this today and wanted to share in case anyone else needs it again and comes across this post. The below will give you an output of the difference by # of days.

| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (round((ot-it)/86400,0))
| table diff

 

If this answer helps you an upvote is appreciated! 🙂

Happy Splunking!

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...