Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to subtract one date from another date?

OmarDee
Explorer
‎08-27-2014 01:58 AM

Hi All,

How can I subtract one date from another?
Please help. thanks!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

OmarDee
Explorer
‎08-27-2014 04:53 AM

Hi All!

I've found the answer. kindly see the codes below.

|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400

View solution in original post

Reply
Solved! Jump to solution

akuma142
Engager
‎06-12-2018 12:30 AM

Hi

Need to substract
12-Jun-2018 03:17:20 ---- 12-Jun-2018 03:17:39

0 Karma
Reply
Solved! Jump to solution
Solution

OmarDee
Explorer
‎08-27-2014 04:53 AM

Hi All!

I've found the answer. kindly see the codes below.

|convert timeformat="%m/%d/%Y" mktime(start) as starttime mktime(end) as endtime |eval result=(endtime-starttime)/86400

Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎08-27-2014 02:12 AM

Subtracts 1 day from the event time (_time) and puts the result into another field (time_one_day_before)

... | eval time_one_day_before=strftime(relative_time(_time, "-1d"),"%Y-%m-%d %H:%M:%S") | ...
Reply
Solved! Jump to solution

OmarDee
Explorer
‎08-27-2014 02:49 AM

thanks, but this is not what exactly I mean.
ex:
Date_One=07/07/2014
Date_Two=07/05/2014

Date_One and Date_Two are the field names.

how do I subtract a days? please help! thanks!

Reply
Solved! Jump to solution

Ayn
Legend
‎08-27-2014 02:02 AM

If your date is in epoch format:

... | eval subtracted_date=your_date-86400

If your date isn't in epoch format (you're not telling us if it is), you need to convert it to epoch first using eval's strftime function.

Reply
Solved! Jump to solution

Ayn
Legend
‎08-27-2014 03:15 AM

Well are you getting the "it" and "ot" fields OK?

0 Karma
Reply
Solved! Jump to solution

OmarDee
Explorer
‎08-27-2014 02:43 AM

it has no result from the field name "diff". because my formula is wrong or something missing my codes? please help. thank you.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-27-2014 02:28 AM

That looks OK, where are you getting stuck?

0 Karma
Reply
Solved! Jump to solution

OmarDee
Explorer
‎08-27-2014 02:19 AM

hi, this is my formula.

| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (ot - it)
|table diff

ex:
Date_One=07/07/2014
Date_Two=07/05/2014

Can you help me how to subtract a day? Thanks!

0 Karma
Reply
Solved! Jump to solution

astackpole
Path Finder
‎05-18-2021 09:48 AM

I know this is super old but I ran into this today and wanted to share in case anyone else needs it again and comes across this post. The below will give you an output of the difference by # of days.

| eval it = strptime(Date_One, "%m/%d/%Y")
| eval ot = strptime(Date_Two, "%m/%d/%Y")
| eval diff = (round((ot-it)/86400,0))
| table diff

 

If this answer helps you an upvote is appreciated! 🙂

Happy Splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...